Russian Spies Rush to Exploit the Latest Flash Zero Day and More Security News This Week

There’s nothing like a hefty security freakout to start the week, and the Key Reinstallation AttackWi-Fi vulnerability—you know it as Krack—announced on Monday fit the bill. The bug is in the ubiquitous WPA2 Wi-Fi protocol, so while it fortunately doesn’t impact every single device that exists, it does affect a significant portion of them. And many will likely never receive protective patches, a longstanding and critical security problem that particularly affects the Internet of Things. The relative simplicity of the Krack bug itself also highlights the importance of making technical standards accessible to researchers for review and feedback.

Google announced a new tier of account security this week called Advanced Protection that uses physical authentication tokens, advanced scanning, and siloing to help defend particularly at-risk accounts (or anyone who wants to be very cautious). And after its disastrous corporate breach, Equifax is receiving a thorough public shaming. Researchers also discovered that for just $ 1,000 they can exploit mobile advertising networks to track people’s movements in both cyberspace and the real world. Not great!

US-Iranian relations are tense and could nudge Iran’s cyber operations. And crooks have a new favorite hustle called “cryptojacking” that can secretly use your devices to mine cryptocurrency when you visit infected websites. Highs and lows.

And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

Flash Patched Its Recent Zero Day, So Russian Hackers Are Using It While They Can

Kaspersky Labs researchers announced a new Adobe Flash vulnerability on Monday, noting that unidentified hackers exploited the bug in an attack on October 10, using a compromised Microsoft Word document to deliver FinSpy malware. Adobe coordinated with Kaspersky to issue a patch on the day of the disclosure. In the wake of the patch, researchers at the security firm Proofpoint observed the hackers doubling down to exploit the flaw before potential targets widely adopt the fix. The group, which Proofpoint says is the Russia-backed collective Fancy Bear, launched an email spearphishing campaign that targeted state departments and aerospace companies. But researchers say the operation was sloppy, and that the group has followed this pattern in the past.

Microsoft Didn’t Disclose 2013 Breach of a Sensitive Vulnerability Database

Sophisticated hackers breached Microsoft’s internal vulnerability-tracking database more than four years ago, but the company didn’t publicly disclose the incident. Five former Microsoft employees told Reuters that the company was aware of the intrusion in 2013. The database would have contained critical vulnerabilities in Microsoft’s widely used software products, including Windows, and may have even included code for exploiting those flaws. Such information would be a gold mine for foreign government-backed hackers or third-party criminals alike, and could have facilitated breaches and espionage at the time.

Reuters’ sources said in separate interviews that Microsoft never connected the breach to any other attacks, and that the company didn’t disclose the incident, because doing so would have pushed attackers to exploit the vulnerabilities before they were patched. Microsoft presumably patched everything in the compromised database years ago, though. Reuters’ sources say that the Microsoft did at least improve its internal security in response to the hack. The incident was part of a rash of attacks that also hit Apple, Facebook, and Twitter. The group behind these hacks is still unidentified, but is known by different researchers as Morpho, Butterfly, and Wild Neutron, and is still active today.

UK Concludes That Iran, Not Russia or North Korea, Hacked Officials’ Email Accounts

Investigators in the United Kingdom concluded last week that Iranian government-backed hackers were behind a June email network intrusion that targeted numerous members of parliament and Prime Minister Theresa May. Every MP uses the network, but the hackers specifically looked for accounts protected by weak passwords or reused ones that had leaked online after other breaches. The parliamentary digital services team told the Guardian that it was making email security changes in response to the attack. The incident underscores Iran’s ongoing digital offensive initiatives. Though the country has been less focused on Western targets in the last few years, it is still an active threat around the world. Recently, US President Donald Trump has worked to undermine the Iran nuclear deal, but Theresa May and other European leaders say they want to preserve it.

Police Did Social Media Surveillance on New York Black Lives Matter Group

The Black Lives Matter Global Network chapter in the Rockland County, New York filed a federal lawsuit in August claiming that local Clarkstown police conducted illegal surveillance on it throughout 2015. Clarkstown police records from the Strategic Intelligence Unit describe social-media surveillance targeted at BLM members. The documents even show evidence that a lead detective told the Strategic Intelligence Unit supervisor to stop the surveillance, but this didn’t end the program. BLM is alleging that Clarkstown police engaged in racial profiling, and violated the group members’ rights to free speech and assembly.

Millions of Crucial Cryptography Keys Weakened By Trusted Generator

A flaw in how a popular code base generates cryptographic keys has ruined the security of millions of encryption schemes. The generator appeared in two security certification standards used my numerous governments and large corporations worldwide, meaning that the flawed keys are meant to protect particularly sensitive platforms and data. German chipmaker Infineon developed the software, which has included the key generating flaw since 2012 or possibly earlier. Attackers could exploit the bug to figure out the private part of a key from its public component. From there they could do things like manipulate digitally signed software, disable other network protections, or, of course, decrypt sensitive data. The situation affects Estonia’s much-touted secure digital ID system. Infineon, Microsoft, and Google warn that the flaw will undermine their Trusted Platform Module products until customers generate new, more robust keys. Estonia has announced plans to update the keys used for its national IDs.

Tech

Equifax says systems not compromised in latest cyber scare

NEW YORK (Reuters) – Equifax Inc said on Thursday that one of its third-party vendors had been running malicious code on one its web pages, but that the credit reporting agency was not the subject of another cyber attack and its systems were not compromised.

Equifax had said earlier it took the affected web page offline “out of an abundance of caution” following a report by the technology news website Ars Technica that the company’s website may have been hacked.

Atlanta-based Equifax disclosed a little over a month ago that cyber criminals had breached its systems between mid-May and late July and stolen the sensitive information of 145.5 million people.

“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” spokeswoman Francesca De Girolami said in a statement on Thursday.

“The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.”

The company said it has removed the vendor’s code from the web page, which was taken offline so the company can conduct further analysis.

FILE PHOTO: The logo and trading information for Credit reporting company Equifax Inc. are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., September 26, 2017. REUTERS/Lucas Jackson

Randy Abrams, an independent security analyst, said he noticed the issue late on Wednesday when he was attempting to check some information in his credit report and a bogus pop-up ad appeared on Equifax’s website.

The pop-ups could trick visitors into installing fraudulent Adobe Flash updates and infect computers with malware, he said in an interview with Reuters on Thursday.

“You’ve got to be kidding me,” he recalled thinking when he first saw the ads. Then he successfully replicated the problem at least five times, making a video that he posted to YouTube. (bit.ly/2z3GTLc)

Equifax’s security protocols have been under scrutiny since Sept. 7 when the company disclosed its systems had been breached. As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice, and it has led to the departure of the company’s chief executive officer, chief information officer and chief security officer.

Equifax shares ended down 1.5 percent at $ 108.81.

Reporting by John McCrank; Editing by Bill Rigby

Tech

Ikea’s Latest Acquisition Will Help Assemble Your Ikea Furniture

One of the most popular jobs on TaskRabbit, a service that lets you hire workers for quick gigs, is assembling Ikea furniture. So perhaps it’s no surprise that the Swedish retail giant has reportedly acquired the startup for an undisclosed price.

TaskRabbit has only a few dozen full-time employees, but it is a platform for a large number of independent contractors who help customers with all sorts of errands, handymen tasks and, of course, furniture assembly.

According to tech news site Recode, Ikea will treat TaskRabbit, which is reportedly profitable, as an independent subsidiary and keep on its CEO Stacy Brown-Philpot. Recode sees the deal as a strategic acquisition at a time of rapid change in the world of retail and home delivery:

The purchase of TaskRabbit was fueled by Ikea’s need to further bolster its digital customer service capabilities to better compete with rivals likes Amazon, which has stepped up its home goods and installation offerings. The purchase is Ikea’s first step into the on-demand platform space.

TaskRabbit had already struck a pilot partnership with Ikea around furniture assembly in the United Kingdom and also had marketed its workers ability to put together Ikea items in the U.S. and elsewhere.

TaskRabbit has received investments from a number of prominent venture capital firms, including Shasta Ventures, Lightspeed Venture Partners and Founders Fund.

Currently, customers are able to hire “rabbits” in around 40 U.S. cities.

TaskRabbit is one of the most high profile of the so-called “gig economy” companies, which connect customers with workers on an independent contractor basis. Other such companies include home cleaning service Handy, and the car-hailing services Uber and Lyft.

The “gig” business model is popular with investors because it can grow quickly, and allows companies to try to avoid the costs and legal entanglements of hiring staff. In recent years, however, workers on such services have won several court challenges claiming they are not contractors, but are instead employees.

Ikea did not immediately respond to a request for comment about the acquisition.

Tech