Friday Five: 5/17 Edition
News on the latest microprocessor side-channel attack, the big WhatsApp vulnerability, and combating online harassment are all covered in this week's Friday Five!
1. Here’s How ZombieLoad Affects Data Centers and What to Do About It by Maria Korolov
Hard to recall the last time there was as much news in a week as this week. Perhaps the biggest story revolved around ZombieLoad, a new side-channel attack, similar to last year’s Meltdown and Spectre vulnerabilities, affecting Intel processors that could let attackers steal data. The vulnerability, which affects every chip the company has made since 2011, was fixed by Apple, Google, and Microsoft this week. While everyone should update their software to mitigate the vulnerability, here's some interesting and potentially overlooked insight via Data Center Knowledge, on how troublesome the vulnerability could be in multi-user environments like virtualized servers in data centers: “In a data center... one virtual machine could eavesdrop on what's happening in another virtual machine on the same server without having to install the malware on that second VM. That's especially troubling for cloud environments, since one user could install the exploit on their own cloud VM to spy on other users.”
2. WhatsApp voice calls used to inject Israeli spyware on phones by Mehul Srivastava
Perhaps the second biggest story this week – big enough that it made the network news – was a revelation via the Financial Times on Monday that WhatsApp, the exceedingly popular messaging app - 1.5 billion users - contained a vulnerability that allowed attackers to inject spyware onto phones. Engineers with the company, which is owned by Facebook, reportedly worked around the clock a week ago last Friday to fix the issue which it disclosed to the Department of Justice last week. The spyware that exploited the vulnerability appears to be connected to NSO Group, the now notorious Israeli surveillance software firm. NSO Group naturally denied any involvement in the hack but said it would investigate any “credible allegations of misuse” of its technology. The group consistently gets the attention of groups like Amnesty International; the group this week said it’s supporting a legal action to take the Israeli Ministry of Defense (MoD) to court in hopes that it ultimately revokes the export license of the firm.
3. Microsoft's First Windows XP Patch in Years Is A Very Bad Sign by Brian Barrett
The hits kept coming this week, especially on Tuesday, the same day the scope of the ZombieLoad attack came to light and the same day Microsoft urged Windows users to update XP in order to mitigate a “wormable” WannaCry-esque vulnerability. "Any future malware that exploits this vulnerability," Simon Pope, Microsoft's Director of Incident Response, said of the vulnerability, CVE-2019-0708, "could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” The CVE, a remote code execution bug in Remote Desktop Services, doesn't affect Windows 8 or Windows 10 but out of support versions, like Windows 2003 and Windows XP, as old as they seem, are affected. As Wired points out, this could wind up portending some major events, especially since the last time Microsoft pushed an XP update it was shortly before WannaCry. A good chunk of the world, tens of millions of desktops and laptops, still run XP, and as Wired points out, a number of those are machines in hospitals, businesses, and industrial plants. “The coming weeks and months should show… just how wide a gap exists between providing a patch and getting people to install it. An attack on Windows XP is at this point inevitable. And the fallout might be worse than you’d have guessed,” Brian Barrett wrote Wednesday.
4. This startup provides health insurance against online harassment by Sean Captain
It feels like we first heard of Tall Poppy years ago but it turns out it’s really only been one. Leigh Honeywell, a former security engineer at Slack, started the company - which specializes in building tools and services for people facing online harassment – with her business partner, Logan Dean, last April. Fast Company’s Sean Captain has done stories on Honeywell before and does a great job here encapsulating the business, which is sold as a service that companies can offer as an employee benefit. The company specializes in cyber hygiene training, teaching employees how to wipe personal data off the internet, helping employees create better passwords, and limiting employees' connections on apps to third party apps. The company, having raised over a million dollars and a dozen customers, some too prominent to name, is clearly on the upswing.
5. Europe's Data Protection Rules Need Reforms, Report Says by Sintia Radu
A report out this week via Washington's Center for Data Innovation is warning the EU should better tailor the General Data Protection Regulation (GDPR) to accommodate artificial intelligence or the economic and political union could be at an economic disadvantage globally. The report recommends the EU encourage the use of AI in areas like healthcare, education, and environmental protection, allow for the repurposing of data that's already been collected, and make fines comparable to a company’s level of culpability. In the center's eyes, the GDPR, which of course limits the collection and use of data, is hurting AI - whose sole enabler is data. Those looking to read the actual report, "The EU Needs to Reform the GDPR to Remain Competitive in the Algorithmic Economy," can find it here in PDF format.