Friday Five 9/18
Campaign app bugs, VA data breaches, and IoT legislation - catch on the week's news with the Friday Five!
1. A bug in Joe Biden's campaign app gave anyone access to millions of voter profiles by Zack Whittaker
A bug in the Biden campaign’s official app allowed anyone to look at the sensitive voter information of millions of Americans. The app, Vote Joe, works by having users upload their phone contact list. The contact list is then cross-checked with voter data supplied from TargetSmart to see if their contacts are registered to vote. TargetSmart is a political marketing firm that claims to have data on 191 million Americans. The expert that discovered the bug realized that they could pull up anyone’s information, including people outside their network by creating a contact on their phone with a voter’s name. Further, the app also recorded more detailed and private information such as a voter's home address, date of birth, gender, ethnicity, and political party affiliation. Anyone who realized the app was exploitable could gain access to a lot of private information that users of the app were unaware that they had even agreed to provide. The Biden campaign sent out an app update on Friday that addressed the bug.
2. New Windows exploit lets you instantly become admin. Have you patched? by Dan Goodin
Researchers have developed a proof of concept exploit for a recently patched Microsoft vulnerability that would allow access to the Active Directory domain controllers. Active directory domain controllers act like a gatekeeper, controlling access to all computers in the network. The attacker can use this exploit, known as Zerologon, if a computer is compromised by an employee clicking on a malicious link or email. One cannot overstate the danger of Zerologon. If hackers gain access to the domain controllers, they can add new computers to the network and infect any existing network computers with malware. The researchers who discovered the vulnerability made sure to hold off on releasing the exploit until Microsoft developed and released a patch. If organizations haven't already, it’s critical to patch, via Microsoft’s August update, to make sure your network is not vulnerable.
3. U.S. Dept of Veterans Affairs data breach affects 46,000 veterans by Lawrence Adams
46,000 veterans had their personal information exposed because the U.S. Department of Veterans Affairs suffered a data breach. The cause of the breach was hackers seeking to steal payments intended for healthcare providers who treat veterans. Investigators discovered that unauthorized users gained access to the system through social engineering and authentication protocol exploitation. The VA has shut down its system while the investigation continues. The exact nature of the exposed data is not yet clear, but it could be names, addresses, social security numbers, phone numbers, and perhaps medical information. If you are a veteran whose information may have been exposed, it’s important to monitor your credit history in the coming weeks to make sure no fraudulent activity occurs on your account. It’s also important for those potentially affected to watch for targeted phishing campaigns that use data stolen from the attack.
4. House approves bill to secure internet-connected federal devices against cyber threats by Maggie Miller
On Monday, The House of Representatives unanimously passed The Internet of Things (IoT) Cybersecurity Improvement Act. In today’s polarized environment, any legislation that passes with bipartisan support is notable. The legislation requires all internet-connected devices, or IoT devices for short, bought by the federal government to comply with minimum security recommendations issued by the National Institute of Standards and Technology. The legislation also addressed private sector groups who provide devices to the federal government; the bill requires that they notify the government if any of the IoT devices they provide have vulnerabilities. The bipartisan support seems to stem from an acknowledgment that the lack of national standards on device security leaves the US government exposed. The bill will head to the Senate for a vote and is being co-sponsored by senators from both parties, it bodes well for the bill’s odds of becoming law. Although it may seem like just a first step, it’s a positive sign that Congress is taking notice of cybersecurity issues and is working to address the lack of legislation regarding IoT devices.
5. Five Chinese nationals, two Malaysians charged in connection with global hacking campaign by Shannon Vavra
The DOJ announced charges Wednesday against five Chinese nationals and two Malaysian nationals for their alleged connection to a global hacking campaign that hit hundreds of targets in the United States and around the world. The charges allege that the Chinese hackers compromised technology providers and installed software backdoors in their networks. The hackers are linked to APT41, an advanced persistent threat group with potential ties to the Chinese Government. The range of targets was vast, from telecom and social media companies; to think tanks and activists in Hong Kong. The hackers also exploited video games by hacking in-game resources - like currency - and then selling them in exchange for real-world dollars. The U.S. is seeking extradition for the two Malaysian nationals who have been arrested in their home nation. As for the five Chinese nationals charged, the U.S. is still seeking information. The charges come as the FBI is working to roll out a new cyber strategy and the US government as a whole is trying to send a message to foreign hackers that it will not tolerate continued intrusions.