Friday Five: 4/20 Edition
Leaky plugins, the latest on the DHS bug bounty bill, and more - catch up on the week's infosec news with this roundup!
1. Fake ad blockers in the Chrome store had over 20 million installs by Mariella Moon
Lots of news got lost in the haze of RSA this week, including the fact that Google gave the boot to five phony ad blockers that boasted over 20 million installs. Researchers with AdGuard said Tuesday the bogus ad blockers, AdRemover for Google Chrome, uBlock Plus, Adblock Pro, HD for YouTube, and Webutation all had extra code that harvested data on whatever sites users visited. It's definitely not the first time something like this has happened; last year a fake Adblock Plus extension made the rounds and actually lingered long enough online that it was downloaded by 37,000 people.
2. Senate passes DHS bug bounty bill by Derek B. Johnson
Not a huge surprise here - as this beloved bipartisan bill was expected to pass when it was first announced last October - but the Senate passed legislation around the creation of a bug bounty program, the Hack DHS Act, this week. It's expected the pilot program bill - which would allot $250K for the DHS to contract an outside organization to run it - will pass, especially after the success of similar programs deployed by the Pentagon and the General Service Adminstration. While FCW's article recaps how the bill passed perhaps the more interesting article is one published on Thursday by NextGov that cites a Homeland Security official who says the program would duplicate work it's already doing.
3. DHS Helps Shop Android IPS Prototype by Kelly Jackson Higgins
Speaking of the DHS: Interesting news here via DarkReading, which reports the cabinet department showcased an intrusion prevention system, or IPS, for mobile devices this week at RSA. The prototype, named APE, was designed as an app for Android but could theoretically be adapted to work on iOS according to an engineer at MITRE, which developed the IPS years ago. "We're actually doing all the steps that it takes to get [a] product commercially viable including partnering with industry and the inventory community, getting them to rally around the technology, help with development of the technology, and get this product to market so people can buy it, including government agencies," Nadia Carlsten of DHS' Transition to Practice (TTP) program told the publication this week.
What is NIST Compliance? (Checklist, Definition, & More)
4. NIST releases latest version of its Cybersecurity Framework by Kim Gold
This week also silently saw the National Institute of Standards and Technology (NIST) release a new version of its Cybersecurity Framework. According to the legal blog Data Protection Report, which recapped it on Thursday, version 1.1, released on Monday, contained updates to authentication and identity, self-assessing cybersecurity risk, managing cybersecurity in the supply chain, and vulnerability disclosure. As Kim Gold, Senior Counsel with the firm Norton Rose Fulbright points out, the fact the framework has been updated should get the attention of anyone in the healthcare industry, as the standards are usually implemented to comply with HIPAA.
5. LinkedIn’s AutoFill plugin could leak user data, secret fix failed by Josh Constine
LinkedIn was relatively quick to fix a vulnerability it called a feature this week that was being abused to expose visitors' names, phone numbers, email addresses, ZIP codes, company and job title to third-party websites. “Malicious sites have been able to invisibly render the plugin on their entire page so if users who are logged into LinkedIn click anywhere, they’d effectively be hitting a hidden ‘AutoFill with LinkedIn’ button and giving up their data,” TechCrunch reported Thursday. The site fixed the issue but not completely. Attackers could still exploit the vulnerability by installing an iFrame to a site with a cross-site scripting vulnerability. LinkedIn ultimately pushed a patch to resolve that issue after the initial vulnerability got publicity this week however.