Skip to main content

Friday Five 5/7

by Colin Mullins on Friday May 7, 2021

Contact Us
Free Demo

Expanded bug bounty programs, trade secret cases, and Google's push for 2FA - catch up on all of the week's infosec news with the Friday Five!

1. How China turned a prize-winning iPhone hack against the Uyghurs by Patrick Howell O'Neill

This article follows the latest developments in cybersecurity in China, specifically how an iPhone exploit was used to target Uyghurs, an ethnic minority group that resides in the country. Since China has banned cybersecurity researchers from competing in US hacking competitions, such as Pwn2Own, there has been a rise in domestic hacking competitions in China, most notably the Tianfu Cup. This new domestic focus is driven by the Chinese government’s desire to use exploits for political or economic purposes instead of letting them be publicly disclosed abroad and in turn, quickly patched. The focus of the story is on the winning malicious code at the inaugural Tianfu Cup, which consisted of a string of exploits that allowed an attacker to take over iPhones and was later found to have been used to spy on Uyghurs. By cutting off the ability for Chinese hackers to get paid for sharing their exploits abroad, the government seems to have succeeded in its goal to keep more exploits under wraps in China to be used for political purposes.

Read more

2. DOD expands vulnerability disclosure program, giving hackers more approved targets by Shannon Vavra 

The Pentagon announced this week that it will be expanding its list of targets that ethical hackers can search through to find potential vulnerabilities. As part of the “Hack the Pentagon” program, hackers are now allowed to test all publicly accessible DOD information systems. The increased scope of the bug bounty program helps illustrate the DOD’s shift towards greater trust and collaboration within the private sector. Bug bounty programs as a whole have seen a significant uptick in the last year; HackerOne has seen a 63% YOY increase in the number of hackers submitting vulnerabilities. Hopefully, more ethical hacker involvement in government cybersecurity will help shore up the country's defenses.

Read more

3. Ex-Apple Employee Denies Leaking Trade Secrets by Chris Brook

In the latest high profile trade secrets case, a former material lead at Apple is denying that he leaked trade secrets to a journalist. Though he does acknowledge he spoke to the journalist in question, he insists it was only to get a favorable story for a startup he had invested in and no secrets were exchanged. Apple has countered by saying that the employee, Simon Lancaster, downloaded a substantial number of confidential Apple documents on his last day at the company that contained information that could prove valuable to the startup. They also allege a quid pro quo with the journalist where secrets were exchanged in return for a positive writeup about the startup. The case will now have to play out in court and could have implications for future ex-employee trade secret cases.

Read more

4. Google Wants to Make Everyone Use Two Factor Authentication by Lorenzo Franceschi-Bicchierai 

In major privacy news, Google announced that it will prompt all users to enable two-factor authentication and will soon automatically enable 2FA for all users. The change in policy serves as an acknowledgment from Google that passwords alone, for a myriad of reasons, are not enough to keep users’ data safe. For those unfamiliar, 2FA, a.k.a. two factor authentication, is a security mechanism where a user needs to provide both their password and a secondary form of verification to login, such as a code securely sent to their phone. Security researchers have been urging the public to use 2FA for years, so the forced adoption of the policy from a tech giant like Google is a positive step for greater societal adoption of 2FA.

Read more

5. Florida homecoming queen faces up to 16 years after alleged scheme to hack high school contest by Tim Starks

In what is becoming a bit of a trend, a teenager is accused of rigging a homecoming queen contest by casting hundreds of fraudulent votes after gaining unauthorized access to the school computer system. Along with her mother, who was allegedly involved in the plot, she is facing up to sixteen years in prison on a litany of charges, including criminal use of PII and unlawful use of networks. The story comes on the heels of a similar story of a Pennsylvania mother who allegedly used deepfake videos to harass rivals on her daughter’s high school cheerleading team. It will be up to prosecutors to determine enough of a punishment to deter future schemes while recognizing that it was over a homecoming vote and there was no financial damage.

Read more

Tags:  Bug Bounties Cybersecurity

Recommended Resources

The Definitive Guide to DLP

All the essential information you need about DLP in one eBook.

The Ultimate Guide to Data Protection

Everything you need to know about data protection but were afraid to ask.