China Distributes Spyware at Its Border and Beyond
Credit to Author: Lily Hay Newman| Date: Sat, 06 Jul 2019 13:00:00 +0000
In the spirit of fireworks and firework-related ER visits, it was an explosive and chaotic week in cybersecurity. The ransomware scourge continues apace, with new local governments and municipalities suffering particularly visible attacks every month. Last weekend the Administrative Office of the Georgia Courts became the latest victim. Meanwhile, facial recognition systems are proliferating in US airports, and though airlines like Delta say that using these services is optional, it can be difficult to avoid them in practice, and trying to do so may arouse suspicion.
WIRED also took a deep look this week at mainstream location-tracking services like Google Maps and Apple's Find My Friends. Though they are developed by well-known companies and the location sharing is advertised for accepted uses, these apps also have the potential to be exploited by attackers who have access to victim devices. Domestic abusers or even someone like a rogue coworker could potentially turn on device tracking to stalk a target, and the fact that these apps have an air of legitimacy makes it less likely that victims will notice, especially since there aren't many warnings or notifications when a trusted user initiates tracking.
Plus, here's a look back at the worst cybersecurity incidents of 2019 so far. See if your favorite data disaster or act of international cyber-aggression made the cut!
And even on a holiday weekend there's more. Every Saturday we round up the security and privacy stories we didn’t break or report on in depth, which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
At some border crossings in China's Xinjiang region, Chinese immigration agents are installing spyware on travelers' smartphones that combs text messages, photos, calendar events, contacts, call history, usernames, and lists of third-party apps before uploading this data to a remote server. The malware is only for Android phones, but border agents also have a machine they can connect iPhones to for similar scans. The Chinese government has a program of oppressive surveillance in Xinjiang as part of a sinister "re-education" initiative of the region's Uyghur population, a Muslim ethnic minority. The Android spyware particularly searches for any of 73,000 files, some related to Islamic extremism, some simply related to the Muslim faith in general, such as verses from the Quran. The spyware was exposed on Tuesday by a group of publications, including Vice's Motherboard, The Guardian, the New York Times, the German newspaper Süddeutsche Zeitung, and the German public broadcaster NDR.
US Cyber Command published a Twitter alert on Tuesday that hackers are actively exploiting a known vulnerability in Microsoft's Outlook email client. Attackers are using the bug against government targets to gain system access and spread malware. The vulnerability, which was patched by Microsoft in October 2017, can be used by attackers to get outside of Outlook's constrained environment and gain deeper operating system access. Defenders have previously seen the bug being exploited by the Iranian state-backed hacking group APT33, which is known for creating the famous disk-wiping virus Shamoon. During 2017 and 2018, various findings have suggested a connection between APT 33's use of the Outlook bug and deployment of Shamoon—essentially that the Outlook exploit can be used as the system foothold to then deploy Shamoon. Researchers from the firm Chronicle Security say that the exploit samples posted by Cyber Command in its announcement this week offer some of the first public hard evidence of this connection.
YouTube added hacking and phishing tutorials to its list of banned video content earlier this year. The move wasn't widely known, though, until Hacker Interchange, an ethical computer science training group, started having the video security lessons on its Cyber Weapons Lab channel flagged and taken down by YouTube. The group was also blocked from uploading new videos. YouTube later reversed its decision and said that the channel was flagged in error, but the incident raised concerns in the security research community about what type of content is allowed on YouTube. The guidelines prohibit, "Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data." The entry appears on a list with other banned video types like "Instructions to kill or harm" and "Instructional theft." But while it's obvious why YouTube would want to ban videos that disseminate instructions on how to do dangerous or illegal hacking, the use of the word "instructional" is problematic for the cybersecurity defense community, because educating defenders often requires a component of explaining how malicious hacking is done. Additionally, the policy is potentially at odds with the longstanding cybersecurity practice of responsible disclosure, in which researchers may publish proof of a vulnerability after a set period (often 90 days) of notifying a developer and waiting for them to fix the problem.
On Monday, Virginia became one of the first places worldwide to make distribution of manipulated, non-consensual "deepfake" visual content a criminal offense. The ban comes as an amendment to an existing Virginia "revenge porn" law that prohibits distribution of sexual or nude imagery without the subject's permission. The updated version of the law now specifically prohibits sharing "falsely created videographic or still image" content without the subject's consent.
The popular file storage and sharing service 4shared had more than 100 million downloads of its Android app from the Google Play Store. But in mid-April Google pulled the app and forced 4shared to add a new version to the store. 4shared says it doesn't know why it was subjected to this treatment and that perhaps it had to do with third-party components in the old app from a Hong Kong developer called Elephant Data. Researchers told TechCrunch, though, that this wasn't just a minor confusion, and that the old version of 4shared was displaying invisible adds to users and secretly using simulated screen taps to subscribe users to services without their knowledge—potentially pilfering millions of dollars from 4shared customers. The researchers say that Elephant Data modules were directly powering this fraudulent behavior, and included numerous monitoring and URL-redirect mechanisms seemingly to ensure that the illicit activity stayed hidden. The resubmitted version of 4shared's app already as 10 million new downloads. Users that are still running the old version of the app need to delete it and download the new version to protect themselves.