If you haven't read this month's WIRED cover story about teen hackers who went too deep into Microsoft Xbox's systems, make that your first stop. In more current news, the White House sent mixed messages on cybersecurity policy this week, calling out Russian hackers for compromising popular routers and firewalls—a problematic, but unsurprising and even popular type of attack. Meanwhile, the White House is also losing its well-regarded cybersecurity coordinator Rob Joyce to the NSA.
An alternative security conference on Tuesday called out the industry for lack of diverse representation and inclusion. Researchers are starting to shed more light on the techniques Russian actors used to spread disinformation on social platforms ahead of the 2016 presidential elections. WIRED has new details about the malware and techniques attackers used last fall to taint millions of downloads of the popular CCleaner PC optimization tool. And a new app works to stymie unauthorized physical access to MacBooks simply by sending a notification to the owner if someone the lid.
Facebook's universal login feature comes with some important security drawbacks thanks to online tracking scripts. Researchers demonstrated how feasible it is to exploit Internet of Things device weaknesses one after another to compromise a corporate network without ever touching a PC or server. There's a pressing need to standardize the use of ultrasonic communications in location-based apps. And a new attack vector known as "trustjacking" can take advantage when you choose to "Trust" a computer from your iPhone.
Oh, and Pornhub now accepts cryptocurrency, just FYI. Plus there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
Though internet censorship has been ramping up recently in countries like Russia, privacy advocates noticed this week that Google has changed its App Engine architecture so it no longer includes a quirk that was helping apps get around repressive digital schemes. The mechanism, known as domain-fronting, allowed services to make it look like they were sending requests to generic digital entities, namely Google, when they were actually communicating with blocked sites and services. The change will impact certain VPNs, apps like Signal, and other tools that prioritize anti-censorship features. Domain-fronting was never an actual Google feature, and the company said its decision to plug the hole was long-planned. The mechanism has also been abused by hackers to hide malicious activity.
LinkedIn's popular AutoFill plugin was leaking user data until a fix on Thursday. The plugin fills information from users' profiles into a number of trusted third-party sites, but any of these whitelisted services were able to proactively access users' data without their approval. On top of that, if any of the trusted services were using cross-site scripting that is vulnerable to a certain type of attack, unauthorized platforms could have also grabbed the data. This type of cascade occurred in at least one instance, exposing Linkedin profile data to an untrusted web service, according to researcher Jack Cable. There isn't evidence evidence of malicious behavior, though. "We immediately prevented unauthorized use of this feature, once we were made aware of the issue," a LinkedIn spokesperson told ZDNet.
Lots of services draw on Facebook's huge cache of public and semi-public data, including the facial recognition service Face-Int, which Forbes discovered has swept up Facebook data for five years, while also crawling YouTube videos and numerous other sites for digital faces. Founded by a former Israeli intelligence agent, the database is now owned by an Israeli company called Verint that is known to offer intelligence services to the US government and others around the world. Face-Int has data about individuals "harvested from such online sources as YouTube, Facebook and open and closed forums all over the globe."
