Another week, another death by a thousand leaks, from the operational security failure of fitness app Strava exposing the locations of military bases around the world to Russian hacker group Fancy Bear dropping the latest round of stolen documents from Olympics-related organizations. And then there was that other, congressionally orchestrated release of a certain classified memo, a highly politicized move whose importance security experts are still debating.
As DC buzzed about that de-classified congressional statement alleging improper surveillance of former Trump campaign staffer Carter Page, we at WIRED were also covering the usual rash of hacker spying and disruption. Not one but two different groups of state-sponsored hackers are already plaguing the Olympics, one likely North Korean espionage campaign and one Russian group stealing and leaking doping-related documents in retaliation for Russia’s own Olympic doping ban. Hackers are “jackpotting” ATMs in the US for the first time, after years of looting cash machines around the world. Cryptocurrency scams are reaching new levels of absurdity, with one disappearing after netting just $11, and replacing its website with only the word “penis.” Cybercriminals are increasingly making use of malicious Chrome extensions. And speaking of that embattled surveillance memo and its criticisms of the FBI, we examined what might happen if President Trump tries the nuclear option of firing former FBI director Robert Mueller, who’s now leading the investigation into any potential collusion between Trump and Russia during the 2016 campaign.
And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
The cybersecurity world has always had its “script kiddies,” unskilled hackers who use other people’s automated tools for easy, low-hanging fruit attacks. This week they got a belated Christmas gift: A tool called AutoSploit sews together existing hacking tools to offer even the most clueless hacker a way to automatically locate and compromise vulnerable internet-connected devices. The open-source program, released by a researcher who goes by the pseudonym Vector, combines the search engine for internet-connected devices known as Shodan with the hacking framework Metasploit to allow nearly point-and-click penetrations. Type in keywords to locate certain devices or targets, and AutoSploit will both list available targets and allow hackers to launch a menu of pre-loaded hacking techniques against them.
Though the program does little more than what Shodan and Metasploit could already accomplish in a more manual combination, the move to make internet-wide exploitation one degree more seamless has sparked controversy. “There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies,” wrote well-known security consultant Richard Bejtlich on Twitter. “Just because you can do something doesn’t make it wise to do so. This will end in tears.”
When a company or government adds a security appliance to its racks, it generally hopes that it will make them more secure—not create a new, gaping hole into their network. So it was particularly disquieting this week when Cisco announced a fix for a serious hackable flaw in its popular Adaptive Security Appliance, which offers security services like a firewall and VPN. The now-patched bug rated a 10 out of 10 on the Common Vulnerability Scoring System, allowing hackers a fully remote foothold in those appliances from which they could run any code they pleased. The flaw was found by security researcher Cedric Halbronn, who will present it this weekend at the security conference REcon in Brussels. Though Cisco wrote in its advisory that it hadn’t found any evidence of the flaw being exploited in the wild, it could have allowed hackers an entry point into victims’ networks, or at the very least disabled a security protection on which they depended.
Biometric authentication systems often promise to improve on the shortcomings of traditional, password-based authentication. In Lenovo’s case, however, it turns out the fingerprint reader built into the company’s laptops were themselves protected with nothing but a hardcoded password. Anyone with access to one of those laptops—dozens of its laptop models running everything from Windows 7 to Windows 8.1—who knows that password could use it to bypass the fingerprint scanner and access the data it stored, which include credentials for web logins. Lenovo this week released an update for that faulty fingerprint scheme, which also used dangerously weak encryption.
Most reports of broad cyberespionage campaigns targeting activists and journalists bring to mind highly-resourced state-sponsored hackers. But a new report from civil society-focused security group Citizen Lab shows that a relatively sophisticated hacking operation against Tibetan activists cost just over $1,000 in IT expenses. The hackers’ 172 fake domains, which served as the landing page of phishing emails, cost just $878 in domain registration fees and $190 in server charges over 19 months. The group acknowledges that the staffing costs of such a spying campaign, which they didn’t attempt to estimate, remain the biggest expense. But the overall affordability of hacking has nonetheless been driven in part, Citizen Lab says, by the free HTTPS certificate authority Let’s Encrypt, and more generally by lingering simplicity of phishing as a hacking technique; victims, especially in developing countries, still often don’t use two-factor authentication that would prevent easy breaches.