Stalkerware worries, a WebKit zero-day and Chris Inglis’s departure
sebastiaan stam / Unsplash
Welcome to Changelog for 2/19/23, published by Synack! Nate Mott here, writing from the cold-once-again boonies of upstate New York with this week’s cyber news:
The payload
Life360, a tech company known for its namesake family locator app, announced this week that it was introducing a new Anti-Theft Mode to its Tile location trackers that makes them “undetectable by Scan and Secure, an in-app feature that allows both iPhone and Android users to scan for and detect nearby Tiles and Tile-enabled devices.” It didn’t take long for people to point out why this is probably a very bad idea.
“This is your regular reminder that you CANNOT make a physical tracker that tracks thieves without alerting them without also creating a perfect tool for stalkers,” Electronic Frontier Foundation director of cybersecurity and Coalition Against Stalkerware co-founder Eva Galperin said. (If you’re unfamiliar with Galperin’s work, here’s the obligatory link to her TED talk.)
Life360 said that enabling Anti-Theft Mode requires users to “submit and apply for an advanced ID verification process that includes a biometric scan to accurately detect fake IDs,” ostensibly because “syncing a government-issued ID with a Tile user’s account is a proactive measure to deter the feature from being used for nefarious purposes, such as stalking.”
Companies looking to solve one problem (theft) can exacerbate another problem (stalking) in the process—and in Life360’s case, dismiss concerns by saying existing countermeasures are “insufficient for victim protection.” It’s another stark reminder that privacy and security problems rarely exist in a vacuum.
The week, compiled
The first U.S. National Cyber Director, Chris Inglis, stepped down this week, and Deputy National Cyber Director Kemba Eneas Walden will serve as the acting head of all things cyber in his stead. (CNN reported that Inglis planned to leave his post on Feb. 8; he made his retirement official on Feb. 15.)
Politico said Inglis “served as the deputy director of the National Security Agency under both the George W. Bush and Obama administrations” and “spent decades in various positions at the NSA and the Department of Defense.” He also served on the Cyberspace Solarium Commission.
Part of Inglis’s duties included preparing the National Cyber Strategy for the Biden administration, which has been “set to be released” for months now. CNN said Republican and Democratic lawmakers asked Inglis to stay on until the strategy was complete; now it seems it’s finally nearing publication.
Here are some other things that caught my eye this week:
The Register: Apple released new versions of iOS, iPadOS and macOS to patch an actively exploited vulnerability (CVE-2023–23529) in the WebKit browser engine. The company offered precious few details about efforts to exploit this flaw, but did say that it wanted to “acknowledge The Citizen Lab at The University of Toronto’s Munk School for their assistance.”
CNN: The FBI said it had contained an “isolated” cyber incident affecting the agency’s computer systems. Sources briefed on the matter reportedly believe the incident related to a network used in FBI’s investigations of images of child sexual exploitation.
TechCrunch: A hack-and-leak operation targeting Atlassian was a contender for this year’s funniest cyber whodunit as the company and one if its suppliers, Envoy, blamed each other for the initial compromise, which revealed personal information about Atlassian employees. But it turned out the data was gathered via the use of an Atlassian employee’s credentials.
BleepingComputer: GoDaddy said it learned of several incidents from “a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy” in December 2022.
A message from Synack
Insecure and unmanaged APIs can lead to multimillion-dollar security incidents, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.
Flash memory
Chat with any hacker who’s old enough to remember buying cassette tapes long enough and the odds of them bringing up a bulletin board system (BBS) approach 100%. These precursors to popular forums, blogging platforms and social networks provided many a security researcher with the means to meet people with similar interests and share information.
Many of these early systems were—fittingly enough—run using the Computerized Bulletin Board System. Both the Wikipedia page and this recounting of CBBS’ creation are worth a read… especially if you’re looking to escape from all the horror stories coming out of Twitter right now. Maybe progressing from using BBS to relying on social media was a mistake.
Local files
NBC: The City of Oakland declared a state of emergency this week due to a ransomware attack. The city offered very little information about the incident but the state of emergency would reportedly “assist with equipment and materials and the activation of emergency workers as the city seeks to safely restore its systems.”
The Record: The EU Agency for Cybersecurity (ENISA) and the Computer Emergency Response Team of the European Union (CERT-EU) issued a warning this week about China-affiliated advanced persistent threats (APTs) said to be actively targeting numerous members of the EU.
CyberScoop: Dragos said in its yearly review for 2022 that ransomware attacks on U.S. manufacturers increased year-over-year, with the report detailing “a total of 605 ransomware attacks affecting the industrial sector last year, a 92% increase over the 315 attacks the firm detected in 2021.”
Off-script
Google is reportedly considering the addition of telemetry to the toolchain used in conjunction with the Go programming language it introduced in 2009. This telemetry would be enabled by default, rather than being something developers can opt into, and many are rightly annoyed by this.
I’m no Luddite, but I still find it baffling how far data collection has made its way into our lives. Windows and macOS both share obscene amounts of information with Microsoft and Apple, respectively, and Google’s empire is built on mountains of user data.
This problem isn’t even limited to tech companies. The Markup reported this week that “grocery chains like Kroger are reaping huge profits selling [customer] data to brands and advertisers.” That data can include “precise movements in stores” in addition to other kinds of personal information.
Can’t we just do things without having to worry about being watched? Could we do some programming in Go, use our gaming PCs or pay far more than we should for eggs without the all-seeing eyes of countless corporations on us? Or are us folks bothered by this just yelling at clouds?
That’s all for this week’s installment of Changelog. Send in tips — or just say hello — to nmott@synack.com.