Friday Five 11/12
Apple fixes a macOS zero day, Microsoft warns of HTML smuggling phishing attacks, and more - catch up on the infosec news of the week with the Friday Five!
1. Jen Easterly Wants Hackers to Help US Cyber Defense by Graham Hacia
The Cybersecurity and Infrastructure Security Agency's (CISA) Jen Easterly continues to make the rounds. Fresh off a seemingly nonstop series of Cybersecurity Awareness Month summits, she joined the World Economic Forum and WIRED's RE:WIRED event this week. Graham Hacia recapped Easterly's chat with WIRED's Garrett Graff, which largely centered around the challenges the United States faces on the cybersecurity front and how CISA is going to help the country play defense. Easterly remains the optimist: “I’m an optimist but I'm more optimistic than I’ve ever been about how we can work together, in the government, as a team sport and with the private sector as trusted partners.”
2. Google warns of hackers using macOS zero-day flaw to capture keystrokes, screengrabs by Liam Tung
Feels like this one slid under the radar a bit: Google’s Threat Analysis Group disclosed this week that it reported a nasty zero-day vulnerability, since patched, in macOS to Apple hat was being used by a nation state group to spy on users in Hong Kong. The bug took advantage of an XNU privilege escalation vulnerability in macOS Catalina. Once a user navigated to a website, it could install a backdoor and siphon up data on the user, including the device fingerprint. It could also capture screenshots, upload/download files record audio and keystrokes, and execute terminal commands. While it's unlikely you or any of your friends would have been targeted - Google says the websites used included a "media outlet and a prominent pro-democracy labor and political group," so pretty niche stuff - it’s still great to learn the story behind the patch. Those interested in learning more about the vulnerability, like its exploit chain and IOCs, should head to Google's TAG blog for the write up.
3. Microsoft warns of surge in HTML smuggling phishing attacks by Bill Toulas
4. Google Wins Dismissal of Data Privacy Suit by U.K. Top Court by Ellen Milligan
If you're interested in the machinations of the court system as they pertain to data protection, you've likely already heard this news: Google won a bid this week to dismiss a data privacy lawsuit stemming from a claim that it breached its data collection duties by collecting and using data 10 years ago, from 2011 to 2012. As Bloomberg reports, the UK Supreme Court said Google couldn't be hit with a class action suit. In the eyes of the court, the individuals would have to show that they suffered damage. “In order to recover compensation for any given individual, it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that individual suffered some damage as a result.” The news could help set a precedent for future class action lawsuits.
5. How Facebook’s Outage Could Shape Public Preferences on Cybersecurity Policy by Lauren Sukin, Kathryn Hedgecock
Following its global outage a few weeks ago, Facebook went on the record and insisted it was the result of an internal DNS outage. While the downtime wasn't the result of hackers or anything overtly malicious, this Lawfare piece suggests that the company could have used the outage to better outline the important role that cybersecurity plays. Because the website (and services like Instagram and WhatsApp) are so immensely popular, the authors posit the public could be more attuned to cybersecurity issues and data privacy if Facebook used the outage as a means to prioritize a discussion around vulnerabilities. This, in turn, could help sway public opinion when it comes to the regulation of cyberspace and policy solutions.