Plus, more news bytes of the week, including a no-click iPhone hack and a stronger Android messenger app
A 34-year-old hacking law called the Computer Fraud and Abuse Act (CFAA) sits at the center of a U.S. Supreme Court hearing where the defense insists the law was too vaguely written. Nathan van Buren, a former Georgia police officer, is on trial for allegedly accepting payment to search for a license plate in the police database, which violates the CFAA.
Van Buren’s attorney argued to the Supreme Court that the law’s wording is so broad that it construes many innocuous actions as illegal, such as using a work Zoom account for personal reasons, using a work device to check social media, and lying about one’s height on a dating website. According to CNET, security researchers whose job it is to scan the internet for vulnerabilities would also be in violation of the CFAA, as would many other everyday activities in 2020. “In this case, and probably in most cases related to technology, it is important to review and update the laws,” commented Avast Security Evangelist Luis Corrons. “Nobody in 1986 knew how computers and our relationship with them would evolve over the next 30 years.” The Supreme Court has until June 2021 to issue a ruling on the case.
A white hat hacker from Google’s Project Zero stunned the IT world earlier this week when he published a blog post detailing an exploit that would allow hackers to gain remote access to an entire device without any required clicking or accepting from the user. Researcher Ian Beer says he spent 6 months devising the exploit, which sends a malicious Wi-Fi packet that takes advantage of a memory corruption bug in the iOS kernel. He was inspired, he said, by the iPhone AirDrop function. “As we all pour more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target,” Beer cautioned in his post. The vulnerability was patched by Apple earlier this year.
Last week, Google announced that it would be rolling out a beta version of its Android messaging app that now features end-to-end encryption using the Signal protocol, the new encryption standard. Signal has its own app, but the Signal protocol has being adopted by a host of others. Receiving endorsements about its unparalleled security and privacy from the likes of Edward Snowden and WhatsApp founder Brian Acton, some point to its “perfect forward secrecy” as the protocol’s standout feature. To learn more about Signal encryption, see the article on Wired.
Amnesty International has accused tech giants Facebook and Google of “far-reaching complicity” by blocking posts that criticize the Vietnam government. “These platforms have become hunting grounds for censors, military cyber-troops and state-sponsored trolls. The platforms themselves are not merely letting it happen – they’re increasingly complicit,” said an Amnesty spokesperson. Since April, instances of Facebook restricting content in Vietnam has gone up by 983%. The Vietnamese government also requested that Google remove over 3,000 YouTube videos. More on BBC.
Researchers have discovered malicious files trying to camouflage as a database package in the NPM environment. As NPM is an open ecosystem, users can upload new packages that have not being screened. The malicious files were labeled jdb.js and db-json.js and, if downloaded, they released a remote access trojan (RAT) into the victim’s computer, which gave hackers full access to the system. Learn more at Bleeping Computer.
This year, Covid-19 took over the real world as well as the cyberworld. Join us as we look back on 2020 through a cybersecurity lens.
Johns Hopkins University cryptographers used publicly available documentation from Apple and Google and discovered that if you have the right tools, Android and iOS encryption may not be as robust as you think.
After a FaceTime bug was uncovered in 2019, Google researchers have discovered the same bug in other group chat apps including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.