An iTunes Bug Let Hackers Spread Ransomware

Credit to Author: Brian Barrett| Date: Sat, 12 Oct 2019 13:00:00 +0000

FBI overreach, hacker payback, and more of the week's top security news.

The past week brought a heaping helping of not so comforting cybersecurity news, starting with President Donald Trump's apparent plans to pull out of the Cold War-era Open Skies treaty. We explained why that would be as bad an idea as it sounds. But that's just for starters.

We also took a look at how planting a spy bug on IT hardware is a lot easier—and cheaper—than you might assume. Also cheap and easy: Russia's cross-platform disinformation assault during the 2016 election, as comprehensively laid out in a new report from the Senate Intelligence Committee this week. The conclusion is the same as it has been for over a year, but is no less important for it: Russia's still at it, and the US isn't doing enough to stop it.

Also not doing enough: Twitter, which this week acknowledged that it had fed user phone numbers provided for two-factor authentication into its ad-targeting engine. This is bad! But maybe not unexpected, given how little the big tech platforms care about your privacy and security, especially compared to their profits. A less cut-and-dried controversy is swirling around the nascent idea of encrypting Domain Name System lookups, which both Google Chrome and Mozilla's Firefox support. Some security professionals argue that it makes it harder to defend networks against certain attacks, while offering minimal benefit.

Soldiers are incorporating more technology on the battlefield, but that can also cause dangerous—even deadly—distractions. And we took a look at 7 security threats that can sneak up on you, from rogue USB drives to snooping Chrome extensions. Keep your head on a swivel.

And there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

Researchers from Morphisec Labs spotted a ransomware hackers using a zero day bug in iTunes for Windows to attack an automotive industry target. The flaw specifically relates to the Apple Software Update utility, allowing the Bitpaymer/iEncrypt malware to sneak onto PCs undetected. Apple has since patched the bug, so if you're still using iTunes on Windows for some reason you should be in the clear. And if you use iTunes on Mac, well, you're also fine. And as soon as you update to macOS Catalina, you won't even have iTunes at all.

The Dutch website Hookers.nl was hacked recently, with email addresses, IP addresses, user names, and passwords of 250,000 users all caught up in the haul. The hacker apparently got in through a bug in forum software vBulletin; the Dutch Broadcast Foundation reports that the hacker has attempted to sell the data online.

Everybody likes a good payback story. In this one, software Tobias Frömel fell victim to a ransomware attack, paying a fine to recover his files. But he also took the time to comb through the malware's code, and stole a database full of decryption keys from the hacking group's server. Not only that, but he wrote a decryption program that any victim of the Muhstik ransomware strain can use to get their data back. He then alerted users on Twitter that they now had a better option than paying up. A real Robin Hood story for our times, including a probably not technically super legal stratagem from the hero.

The Foreign Intelligence Surveillance Court last year found that the Federal Bureau of Investigations had violated people's right to privacy when it searched a database of so-called raw intelligence collected by warrantless surveillance. That's a mouthful. The short version: The FBI took a shortcut that violated the Fourth Amendment. Exact details remain a little hazy, because the FISA court operates in secret. But the resent disclosure should give additional fuel to critics of Section 702, the controversial law that dictates the form of surveillance in question.

https://www.wired.com/category/security/feed/