A Snooping Soccer App, a Decades-Old Bug, and More Security News This Week.

Credit to Author: Brian Barrett| Date: Sat, 16 Jun 2018 13:00:00 +0000

Did you hear? There was a summit this week! A good ol’ fashioned meeting of world powers, in which North Korea promised to denuclearize for at least the seventh time in the last 30 years. In the process, President Donald Trump says he gave North Korean dictator Kim Jong Un his direct phone number, which if true was a terrible idea. Oh, and even if North Korea does actually go through with ditching its nukes this time, it’s going to be almost impossible to hold them accountable.

The Inspector General report of the FBI’s actions during the 2016 presidential campaign came out this week as well. Despite what Trump’s tweets might have you believe, it did not exonerate the president’s campaign in terms of potential Russian collusion. It did, however, show that the FBI and its former director James Comey made some not-great decisions in its probe of the Clinton email server. In a happier moment for the Justice Department, alleged Silk Road consigliere Roger Clark was extradited from Thailand to the United States this week. They also took down dozens of Nigerian email scammers, but that’ll barely make a dent.

Everyone from Paul Manafort to Michael Cohen learned that encrypted messaging isn’t magic this week, and you should too before misplaced trust gets you in trouble. Anduril is a magic sword in the Lord of the Rings universe, but also the name of former Oculus Rift wunderkind Palmer Luckey’s company that exists to build a virtual borrder wall.

If you’re traveling to Russia for the World Cup, you’re virtually sure to get hacked unless you take some straightforward precautions. And US senators want straightforward answers from Amazon about exactly how much the Echo snoops on its owners.

But wait, there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

A week ago, the developers of the most popular soccer app in Spain, La Liga, pushed an update that asked permission to access a smartphone’s mic and GPS settings. It then used that permission to listen for unlicensed broadcasts of games in public spaces. La Liga says any audio that gets captured is converted into binary code, which it then matches up against a control code to see if you’re watching something no one paid for. This is bad! No matter how they mask the actual audio they’re grabbing, it’s still a significant privacy violation—hard to imagine many people granted mic permission with the expectation it’d be used like this—and a risk, depending on how securely they capture and store the audio. An own goal, indeed.

It’s nowhere near as bad as Meltdown and Spectre, the speculative execution attacks that rattled the entire hardware industry, but Lazy FP state restore, the latest CPU vulnerability, is still a worrying continuation of this year’s least welcome security trend. Affecting all Intel Core processors from 2011’s Sandy Bridge line onward, the bug could allow an attacker to pull data from even encryption software. It’s apparently both hard to pull off and easy to fix, so chalk it up to a good reminder that there’s there’s danger in them there chips.

A critical vulnerability in a number of email encryption tools that rely on PGP encryption all patched a vulnerability this week that would have let attackers spoof digital signatures of people with public keys. It didn’t work in the default configuration, but anyone who turned on the “verbose” setting was potentially susceptible. Even more fun: The bug dates back 20 years. This is distinct from the Efail encrypted email vulnerability that surfaced in March and ultimately less worrisome. But it’s still a good reminder to only put so much faith in the tools you use to protect your privacy.

https://www.wired.com/category/security/feed/