GFI – top cyber stories for April 2019

Another month, another raft of privacy and security blunders at world-straddling social media giant Facebook. Following up on a problem first admitted by the firm in late March, where a security review turned up the passwords of “hundreds of millions” of users being stored in plain text, Facebook subtly amended its statement in mid-April to note that the mess also affected “millions” of Instagram users.

The extra info was released, with minimal fanfare, on the same day as the release of the much-anticipated Mueller report, much of which focussed on suspected Russian use of Facebook and other media to influence US elections. The perceived effort to hide bad news didn’t make the company any new friends in the media or elsewhere.

Earlier in the month, yet another snafu had emerged. Researchers had spotted that some users new to Facebook were being asked for their email account passwords, ostensibly to “verify” the email address being provided. While this in itself was rightly seen as an enormous security risk to all users, as well as highly damaging to the educational efforts of the security community over many years, things quickly went from bad to worse. Further investigation revealed that if a user was rash enough to hand over access to their email account, Facebook immediately started harvesting all contact data from the account, without any request for permission or an opt-out feature.

Facebook later admitted the blunder, claiming it was another mistake – this one resulting from a change in the text displayed – and that the whole process of verifying addresses in this way was being discontinued. The contact harvesting affected at least 1.5 million users since 2016 though (users of most major email services including Gmail would not have been pushed down the password-demanding route), and would have scraped the addresses and other info of many millions more.

Assange and Huawei causing headaches for UK government

In a rare change of topic amid the ongoing Brexit debacle, the UK government had to wrestle with some cybersecurity matters too this month.

First they had to deal with the fallout from the removal of diplomatic protection from WikiLeaks founder Julian Assange, who had spent 7 years holed up in the Ecuadorian embassy in London. After moving in to arrest him, police received an immediate request for extradition to the US, where Assange faces computer intrusion charges related to the Chelsea Manning leak of military and State Department secrets.

The rapid response from the Americans led to accusations that the UK government had tipped them off about the impending arrest, ignoring the arguably more salient claims of Sweden, where sexual assault charges against Assange also linger on. Perhaps to avoid this more difficult choice, the UK decided to jail Assange for a just under a year for jumping bail, leaving both Sweden and the US with another wait before they’ll know if they’ll get their hands on him.

Meanwhile the ongoing worldwide wrangling over the trustworthiness of 5G networking kit from Chinese giant Huawei caused another upset, after details of a highly confidential UK National Security Council meeting were leaked to the press. The leak led to the sacking of defense minister Gavin Williamson, who denies any involvement, amid much hand-wringing from political commentators.

The actual outcome of the meeting, that Huawei kit would be permitted but only in (not very clearly specified) “non-core” parts of the network, was overshadowed by the outrage over the leak, as indeed were reports that Huawei kit was found to be riddled with bugs, vulnerabilities and poor security practices.

WannaCry-killer goes from hero to criminal

In the US, a British security researcher hailed as a hero for his part in stopping the WannaCry ransomware in its tracks has pleaded guilty to charges of making and distributing malware.

Marcus Hutchins, who wrote a security blog under the name MalwareTech, hit the headlines in 2017 when he spotted the “WannaCry” malware (also known as “WannaCrypt” and “WCry” among others) trying to contact an unregistered domain. After he registered it to sinkhole the traffic and find out more about what the malware was up to, he quickly realized he’d accidentally found a “kill switch” that effectively shut down the worldwide outbreak.

Just a few months later, Hutchins was arrested on his way home from the DefCon conference in Las Vegas, and charged with multiple computer crime offences relating to the creation and distribution of the “Kronos” banking trojan. At the time, Hutchins vehemently denied all charges and conspiracy theories abounded.

Further charges were later added to the sheet, while Hutchins remained on bail in the US. Now, almost two years on, he has confirmed in a rather brief statement that he has entered a guilty plea on two of the ten charges, with the others being dropped.

The charges, which cover activities taking place between 2012 and 2015 relating to both the Kronos and “UPAS-Kit” banking malware, could carry a sentence of five years jail, and a $250k fine, for each count.