Credit to Author: Brian Barrett| Date: Sat, 18 May 2019 13:00:00 +0000
The week started out with a bang, or several of them really. Remember Meltdown and Spectre, the vulnerabilities that affected basically every Intel processor from the last decade? There’s a related attack called ZombieLoad—yes, ZombieLoad—with similarly broad and bad impact. Serious stuff! But honestly not even the worst disclosure of the week.
That distinction probably goes to Cisco. Researchers at security firm Red Balloon found that they could hack the company’s ubiquitous enterprise router, meaning they could listen in on whatever traffic goes to and from those networks. Cisco then acknowledged that dozens of its products were susceptible to the attack, likely comprising millions of devices, and that a fix would require an on-site visit.
And that’s before you even get to the week’s big actual hack: Israeli hacking company NSO Group apparently found a way to break into phones simply by placing a phone call through WhatsApp. The recipient didn’t even have to pick up. There’s also Microsoft, which released its first Windows XP patch since the months before the WannaCry ransomware strain swept to globe—and we all know how that turned out.
I can’t stress enough that all of these things had happened by Tuesday.
Things calmed down a bit from there. The FCC rolled out a new robocall-stopping plan, which is pretty much the same as the old robocall-stopping plan. Google recalled its multi-factor authentication Titan Security Key over a Bluetooth flaw. The feds and Europol took down a sophisticated international cybercrime ring. And we took a look at how technology aided the National Security Council’s ascendency in wartime matters.
And there’s more! Each week we round up the news that we didn’t break or cover in depth but that you should know about. As always, click on the headlines to read the full stories. And stay safe out there.
Google has been on a big ol’ privacy PR push lately, including a fancy New York Times op-ed from CEO Sundar Pichai extolling the importance of protecting your data. Which is a great sentiment that doesn’t quite jibe with the revelation this week that Google also raids your Gmail account for signs of transactions, and collects them all on a separate webpage for your account. You can find yours here. It includes Amazon purchases, subscriptions, tickets, really anything for which you got an emailed receipt. Google says it doesn’t use the information to serve ads, and that the page exists “to help you easily view and keep track of your purchases, bookings and subscriptions in one place.” Honestly, it’s no surprise that Google’s machines can read your email. But it’s hard to understand on what planet the company thought maintaining a hidden away page that catalogs your retail activity there would read as anything but creepy and invasive. There’s no easy way to delete that history, other than deleting receipts from your email or ticking through them one at a time on your Purchase page. To get at least a little control back over how Google tracks you, head to this preferences page and click “Do not use private results.” Because naturally, Google chose to make the use of private results the default, instead of opt-in.
As trade tensions between the US and China remain unresolved, president Donald Trump this week struck a blow to a favorite target: Huawei, the Chinese tech company that the US has accused of posing a national security threat. In an executive order Wednesday, Trump banned transactions that pose “an unacceptable risk;” the Commerce Department followed by placing Huawei on its so-called Entity List, which severely limits the extent to which US companies can do business with it.
In a lengthy investigative report this week, ProPublica reports that multiple data recovery companies that promised to beat ransomware with the “latest technology” called Proven Data Recovery simply paid off the hackers behind the SamSam ransomware instead. Paying isn’t the worst idea when you’re in that situation, but to lying to customers and charging them fees on top of it kind of is.
Adobe Flash is finally going to die off next year, but it’s not the only security-challenged product in the software company’s stable. This week, Adobe released patches for dozens upon dozens of bugs, most of which relate to Adobe Acrobat and Reader. Don’t worry, though; one still applied to Flash.