Pinduoduo malware confirmed
Last week we covered that Google suspended the app for the ecommerce giant Pinduoduo from the Play Store, over alleged malware in its app available on other platforms. Now the security firm Lookout confirms that versions of the app on third-party markets exploited a known privilege-escalation flaw. The app used this to download and run code on the device. Researchers said the app could add widgets to devices, tracking usage of other apps, see notifications and access location information. The malicious apps were signed by the same private key as the version on the Play Store.
Binance sued by CFTC
The US Commodity Futures Trading Commission filed a lawsuit against the crypto exchange Binance and its CEO Changpeng Zhao. The filing claims Binance regularly broke derivatives rules, failing to register with the agency for several years. Other violations include instructing customers to use BVPNs to obscure locations and directing users to open accounts under shell company names. Binance’s records show that as of August 2020, it earned $63 million from derivatives transaction fees, with 16% of customer accounts in the US.
Twitter source code takedown
Last Friday, GitHub complied with a DMCA infringement notice from Twitter that sought to remove proprietary source code and tools that had been published for months. Twitter now seeks a subpoena to search for those responsible for leaking and downloading its code. The DMCA notice says someone with the handle “FreeSpeechEnthusiast” is behind the leak. Twitter has indicated that GitHub should provide info about the access history for the leak as a solution for the copyright infringement. The leaker’s GitHub account appears active but no longer contains public repositories. It’s first contribution dates back to January 3rd.
Linus and YouTube’s hacking problem
YouTube channel Linus Tech Tips and two other Linus Media Group YouTube channels suffered account takeovers last week, with the attacker able to livestream crypto scam videos, change channel names, and delete videos. According to channel owner Linus Sebastian, the attacker sent over a PDF that someone in Linus Media Group’s team downloaded, because it looked like a sponsorship offer. That PDF included malware that accessed “all user data from both their installed browsers” — including session tokens — which gave the attacker “an exact copy” of the browsers that they could export without needing security credentials.
This seems to be an increasingly common occurrence. The Verge found similar accounts seemingly takenover with the same scam in seconds. Sebastian says YouTube needs “better security options to change key channel attributes” like reauthenticating credentials to change a channel name. Sebastian also called out YouTube to make account recovery more transparent to creators, and to be more responsive to smaller channels.
And now a word from our sponsor, Trend Micro
French government joins the app banning train
The government of France announced a new policy that bans all recreational apps from government issued phones. The country’s minister of transformation and public service, Stanislas Guerini, said no apps in the category showed robust enough security for government devices. So yes, this does include TikTok. The policy does provide exceptions for apps needed for official communications. The policy provided no clear timeline for removing the apps. This comes after several other nations banned TikTok on government devices.
Nvidia comes down on crypto
Over the past several years, the chipmaker Nvidia showed a mercurial relationship with cryptocurrency. On the one hand, demand for GPUs to mine cryptocurrency fueled its revenue. On the other hand, it taxed GPU supply for other users, like gamers, resulting in the company producing cards designed for inefficient mining. However CTO Michael Kagan made their position a little more clear in an interview with The Guardian, saying crypto “doesn’t bring anything useful for society. AI does.” This comes as in recent quarters Nvidia’s datacenter and AI-focused business unit generated more revenue than its gaming GPU division.
White House puts new limits on commercial spyware
President Biden signed an executive order placing limits on the use of commercial spyware by federal agencies. This bans spyware already misused by foreign actors or that could pose a security risk to the US. The order sets out guidelines for determining misuse and security risks, like using the spyware against activists. The order does not establish a ban-list of entities. Rather it will determine a spyware ban on a case-by-case basis, with no requirement for public disclosure.
The security tradeoffs of splitting TikTok
In an editorial on TechDirt, former head of trust and safety at Twitter, Yoel Roth, outlined the potential cybersecurity repercussions if the US allows TikTok to operate under its Project Texas plan. This would separate off US TikTok users, ostensibly making their data inaccessible to its parent company ByteDance. Roth points out that this will limit the ability for a US-based TikTok to find and shutdown influence operations on its network. It would only be able to work from a limited set of user signals to analyze. Roth distills the problem down to “establishing geographic limits around a problem that does not respect geography.” Right now TikTok operates with 1.5 billion global users, but a US-only TikTok would be only 10% of that.
(TechDirt)