Security Briefing – 11.14.2017
The 2016 FBI vs Apple battle in federal court over government access to encrypted devices never settled the issue. When a contractor hired by the FBI was able to break into the iPhone of a mass shooter, the case became moot. But there are, according to the US Department of Justice (DoJ), thousands more locked phones that it contends it has a right to access. So it probably shouldn’t be a surprise that the DoJ and Silicon Valley are likely headed for another collision in court, courtesy of Deputy US Attorney General Rod Rosenstein.
A Russian developer installed cryptocurrency mining code in his popular crossword game app Puzzle as well as his in-game awards and bonuses app Reward Digger, without notifying users they would be mining cryptocurrency coins on his behalf, according to researchers. This is a very inefficient way to mine cryptocurrency, however on a massive scale it could be profitable. Puzzle alone has had 5 million to 10 million downloads.
A newly discovered banking Trojan called IcedID looks a lot Gozi, Zeus, and Dridex – but without any code overlap. IcedID, which was discovered by IBM X-Force researchers, has capabilities similar to those older financial-stealing malware. “Overall, this is similar to other banking Trojans, but that’s also where I see the problem,” says Limor Kessem, executive security advisor for IBM Security. One sign of IcedID’s sophistication is its distribution through the Emotet Trojan, which is designed to amass and maintain botnets. Emotet arrives on target machines via spam emails and is typically disguised in productivity files containing malicious macros.
Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets. A Twitter user, who goes by the name “Elliot Anderson” (named after Mr. Robot’s main character), discovered a backdoor (an exploit) in all OnePlus devices running OxygenOS that could allow anyone to obtain root access to the devices.
YouTube last week announced that it’s implementing a new policy that age-restricts this type of content in the main YouTube app when flagged. Juniper Downs, YouTube’s director of policy, told The Verge that “Age-restricted content is automatically not allowed in YouTube Kids.” The policy has been in the works for a while, so the rollout isn’t a direct response to recent coverage of the inappropriate content, YouTube says.
Privacy-minded Firefox users who are tired of websites keeping tabs on their browsing habits should keep their eyes peeled for the Firefox 57 update, also known as Quantum, due out 14 November. This next major update is expected to include an option to turn on Tracking Protection, which—as the name implies—protects you from tracking. Specifically, it stops sites from loading code that can be used to track you across multiple websites.
A study conducted by Google over a one-year period showed that online accounts are most likely to become compromised as a result of phishing attacks. Between March 2016 and March 2017, Google researchers identified 12.4 million potential victims of phishing, roughly 788,000 potential victims of keylogger malware, and over 1.9 billion users whose accounts had been exposed due to data breaches.