Friday Five: 11/3 Edition
Catch up on all the week's InfoSec news with this roundup!
Face ID was inevitable. We all knew it was coming when Tim Cook took the stage in Cupertino in September earlier this fall. That hasn’t stopped those concerned about their privacy from fearing the worse about the iPhone X’s much-ballyhooed new authentication feature however. Will it be easily exploitable? Just how much overhead will it take for an attacker? Wired’s Andy Greenberg – with help from the magazine’s David Pierce – have a good tale this week just how secure the facial recognition system is. It’s an elaborate and entertaining story full of facial prosthetics, fake eyebrows, and (spoiler alert) mostly failure.
Mozilla regularly pulls features from Tor Browser for Firefox (the browsers are built on the same framework) so it wasn’t a huge surprise this week when the company announced it would soon give users the option to block browser fingerprinting. The Next Web’s Tristan Greene reports the feature - which helps protect users from tracking - will debut in Firefox 58, due for release in January. Tor has employed the feature, also known as canvas fingerprinting, for years. When enabled the browser notifies users of read attempts and allows them to return blank image data to thwart being tracked.
A deluge of Apple patches (and new emojis!) arrived this week and among the updates for macOS and iOS were fixes for last month’s Krack vulnerability. Krack – which takes advantage of flaws in the WiFi WPA2 protocol - could let attackers read information transmitted over WiFi networks previously thought to be encrypted. Apple addressed the vulnerability in macOS 10.13.1 and iOS 11.1 on Tuesday per Computerworld’s Gregg Keizer. Microsoft fixed the vulnerability in Windows early last month and Google promised it would push an update for affected devices on Monday, November 6.
News that a new banking Trojan dubbed Silence has been making the rounds broke this week. The most interesting part of the Trojan, which was spotted attacking Russian banks by Kaspersky Lab, is the fact that its techniques are strikingly similar to Carbanak, a group which has been terrorizing banks and financial institutions for years now. DarkReading’s Kelly Sheridan reports that Silence uses spear phishing emails (and social engineering) to trick users into running malicious attachments which in turn infect machines. A “screen activity gathering module” leverages Windows’ GDI and API to capture screenshots and send them back to the attacker, something which gives them a minute-by-minute view into the victim’s machine.
5. Security Researchers Use Wi-Fi and Safari Exploits to Breach iPhone 7 at Annual Pwn2Own Contest by Juli Clover
Hackers won thousands of dollars this week as part of this year’s Mobile Pwn2own, the annual hacking competition held in Tokyo by both Trend Micro and the Zero Day Initiative. Researchers managed to poke holes in the iPhone 7, the Samsung Galaxy S8, and the Google Pixel. MWR Labs used 11 different vulnerabilities to execute code on the Galaxy S8 while Tencent Keen Security Lab exploited iOS 11 on an iPhone 7 twice, something which net researchers $155K, according to MacRumors. The competition is the second ZDI has put on this year; it spent $833,000 on 51 zero day bugs as part of Pwn2Own in March earlier this year.