Equifax Was Warned of Vulnerability Months Before Breach, and More Security News This Week
This week, some old security threats came back to haunt the internet, a fitting horror trope this close to Halloween.
Remember the Mirai botnet that took out the internet for a big chunk of the East Coast and beyond last year? It’s back, sort of. More specifically, a new botnet called Reaper is steadily growing, based on Mirai but with an added trick. It doesn’t just seek out IoT devices with poor password protections; it can actively take advantage of known vulnerabilities. With over a million networks already infected, it could eventually unleash a substantive DDoS attack. Think of it like a powder keg that gets a little bigger every day. Neat!
In that same vein, a new ransomware based on NotPetya, called BadRabbit, has struck the Ukraine. Curiously, though, it’s had an even bigger impact on Russian, whom security analysts largely believe was behind NotPetya in the first place.
We also took a look at the government ban of Kaspersky Lab, or more specifically the silence over what evidence it has that the Russian antivirus company poses a danger. A bug in a popular maritime platform—since fixed—underscores just how ill-prepared infrastructure at sea is for an age in which everything connects to the internet. And Apple’s Core ML machine learning engine will be a boon for developers, but has some security experts spooked about how easy it makes it to sift through your sensitive photos and such.
Finally, we took a long look at piracy’s shift from torrenting to Kodi boxes, and how the lawsuits have followed in kind.
If Equifax’s loss of the sensitive personal information of hundreds of millions of people wasn’t already seem negligent enough, a new report adds another point to its timeline of failure: Six months before hackers attacked one of the company’s web portals and siphoned out data on a 145 million Americans, they were warned of a flaw that could have allowed exactly that seriousness of attack. An anonymous security researcher tells Motherboard that he or she found a flaw in an Equifax website in December of last year that would have allowed anyone to pull out the information of every person in the company’s database in minutes—including social security numbers, full names and birthdates—using just a “forced browsing” technique that merely plugs various url strings into a browser. They also found other bugs that would have allowed a hacker to take control of Equifax servers, including SQL injection vulnerabilities that allow maliciously crafted data in web entry field to run commands on the computer’s back end. Equifax didn’t fix those bugs for more than six months. And while it’s not confirmed that any of those specific vulnerabilities were the ones used to breach the company, they point to the company’s general laxity about security, and suggest that multiple hacker groups could have easily been inside the company’s networks.
WhatsApp already offers the privacy guarantee of its underlying Signal Protocol encryption, and the convenience of well over a billion of your closest friends already using it. Now, the Facebook-owned app is rolling out a feature that lets you automatically delete messages up to seven minutes after sending them, both on your smartphone and on the recipient’s. The feature is rolling out now, and early reports say it works as advertised, with the small caveat that WhatsApp won’t send you a confirmation that the deletion actually took place. But hey, trust makes the world go round.
Building a video feed into a robotic vacuum cleaner represents a might-as-well addition to the era of internet-connected gadgets, allowing you to keep an eye on your pets—or children—while it scoots around your floors. But when that video feed runs through an insecure mobile app—as in the case of LG’s Hom-Bot and its SmartThinQ App—your Brand B Roomba quickly becomes a domestic surveillance device. According to security firm Checkpoint, an authentication bug in that app meant that any hacker who knew a spying target’s email address could log into the app as them, intercepting that vacuum-based video feed. The same trick would also give them access to other internet-connected LG devices in their home, including fridges, air conditioners, ovens, washing machines, dryers and dishwashers. Checkpoint reported the bug to LG in July, and it was fixed in September, so update your SmartThinQ app ASAP to make sure it’s not vulnerable to that IoT spying technique.
An AI algorithm can now defeat CAPTCHA systems, designed to tell if someone is a human, more than half the time, according to research published in Science magazine this month. It performed best against Google’s reCAPTCHA, with a 66.6 percent success rate, but also found favorable results against versions from Yahoo and PayPal. The research team from Vicarious AI pulled off the feat by training its algorithms to mimic the sequence human eyes and brains go through to identify images. It’s not the first AI to beat CAPTCHA, but the researchers say their method required far less initial training than the reigning champ, a system called CNN.