Cyber Security Headlines – September 4, 2020

Facebook formally codifies policy on third-party vulnerabilities

The change was published in a blog post, and Facebook says that when third-party critical bugs or security vulnerabilities are found, it will give developers 21 days to respond and 90 days to fix the issues. The company says it will make good faith efforts to report the bugs appropriately to third parties, but reserves the right to disclose sooner if a vulnerability is being actively exploited. Along with the policy change, Facebook says it will disclose its own patched vulnerabilities. As part of this, the company published details on six recently patch WhatsApp vulnerabilities, five of which were patched the same day they were discovered, and none of which showed evidence of being exploited. 


Apple delays changes to device ID collection

Apple told the Information that the delay in the change in device ID collection to 2021 was in order to give developers more time to adapt. Apple announced at WWDC that in iOS 14 it would start requiring users to opt in to sharing their device ID for tracking purposes like advertising. Facebook recently told its ad customers it might have to stop operating its Audience Network product on iOS as a result of the change. 

(The Information)

Geofence warrants strike out in federal court

Federal courts in Chicago have three times rejected government applications for warrants that would force Google to release what phones were near two commercial locations during three 45-minute intervals. Google says the request for these “geofence” searches have risen a hundredfold in the last two years.  Magistrate Judge Gabriel Fuentes noted that the courts have long rejected “all person” warrants that allow searches of everyone in a particular location, saying that one could only be granted if it could be shown that all persons in the area were likely part of the same criminal enterprise. 

(Ars Technica)

Most cybersquatting sites are at least suspicious

This finding comes from a new report from Palo Alto Networks, which identified 13,857 domains classified as cybersquatting by lexical analysis. The researchers monitored the domains for activity over the next 8 months, and found that 19% were malicious, actively distributing malware or used to stage phishing attacks. An additional 37% were labeled suspicious, either hosting legally dubious software or hosting insufficient content. Palo Alto Networks found that combosquatting involving COVID-19 related terms, which were registered in combination with a familiar brand’s name, was a new vector for cybersquatters. 18.5% of the surveyed websites used an HTTPS connection. 

(Dark Reading)

Thanks to our sponsor, Trusona

Trusona enables enterprises to provide enhanced security and usability to the workforce by removing passwords from the Windows 10 login experience. The solution works with your existing infrastructure without requiring any software or hardware upgrades like Windows Hello, cameras, biometric readers or on-premises servers — making it the most cost-effective and user-friendly to deploy.

Warner Music discloses web skimming attack

The breach was disclosed in a notification letter to the Office of the Attorney General in California. Warner Music says that between April 25 and August 5  “a number of US-based e-commerce” that were “hosted and supported by an external service provider” were exposed as part of the attack. Affected Warner websites were not disclosed, but the company said that user information could have been exposed to third parties after adding items to a shopping cart, including name, email address, telephone number, billing address, shipping address, and full payment card details. Warnes Music is offering impacted customers free credit monitoring through Kroll.


Indian Prime Minister Narendra Modi Gets Twitter Hacked

The hack impacted Modi’s official Twitter account as India’s prime minister, which tweeted out a call to donate cryptocurrency to the PM National Relief Fund. Twitter quickly locked the account and deleted the fraudulent messages, issuing a statement that it was “aware of this activity and have taken steps to secure the compromised account,” with a full investigation underway. Twitter says its systems were not breached, and that the hackers probably got access through social engineering against someone managing the account. 

(Security Affairs)

CISA now requires vulnerability disclosure policies

The US Cybersecurity and Infrastructure Security Agency issued a compulsive binding operational directive requiring federal executive branch departments and agencies to develop and publish these policies on a web page. Agencies now have 180 days from issuing the order to comply. These VDPs must include what systems are in its scope, the type of vulnerability testing allowed, and a description of how to submit vulnerability reports, as well as a commitment not to pursue legal action against anyone disclosing or researching vulnerabilities in good faith. This is the first directive from CISA that was informed by a public comment round, with the draft directive initially circulated last November.   

(Info Security Magazine)

DHS funds research into ML Airport Scanning

The Department of Homeland Security’s Small Business Innovation Research program awarded funding to Synthetik Applied Technologies to develop a training data set for machine learning meant to simulate human travelers and baggage object models to better train ML algorithms. The company previously demonstrated using synthetic data sets to detect explosives. The ultimate goal of the funding is to use synthetic training to safely build out machine learning based scanning at airports.

(Security Magazine)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.