This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Bethany De Lude, CISO, The Carlyle Group
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Google Pixel devices shipped with vulnerable Verizon app
A majority of the devices shipped since September 2017 come with a dormant app called Verizon Retail Demo Mode, which is not manufactured by Google, but by a third-party vendor, but according to Google, is owned by Verizon, who requires it on all Android devices. Embedded in this app is another app called Showcase.apk which, according to mobile security firm iVerify, “downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level.” This leaves Android Pixel smartphones susceptible to adversary-in-the-middle (AitM) attacks, granting malicious actors powers to inject malicious code and spyware. “Since this app is not inherently malicious, most security technology may overlook it and not flag it as malicious, and since the app is installed at the system level and part of the firmware image, it can not be uninstalled at the user level,” iVerify added.
‘Only’ 1.3 million affected by National Public Data breach
The Florida-based data broker officially confirmed the breach which happened earlier this year that’s now been estimated to have impacted 1.3 million people in the U.S., UK, and Canada. However, that estimate is far less than the original 2.9 billion rows of information that the threat actor claimed to have taken. The stolen information included full names, email addresses, phone numbers, and Social Security numbers.
Man who hacked Hawaii state registry sentenced
In January 2023, Kentucky man Jesse Kipf used stolen login credentials to access the Hawaii Death Registry System and “certified” his own death. The creds belonged to a physician who worked for a local hospital but had left the job in 2021. By certifying his own death records, Kipf avoided paying more than $116,000 in child support. Hawaii’s Department of Health sent breach notices to affected individuals after cybersecurity firm Mandiant found the credentials had been sold on the dark web. Kipf also hacked into other state death registry systems and “governmental and corporate networks,” then sold stolen data to “customers” in Russia, Algeria and Ukraine On Monday, he was sentenced to 81 months in prison.
Google play store’s bug bounty program ending this month
Google’s seven-year-long bug bounty program for Android apps on the Google Play Store is set to conclude on August 31, 2024. Launched in 2017, the Google Play Security Reward Program (GPSRP) initially focused on a select group of developers and apps, offering rewards of $5,000 for the most critical vulnerabilities. In 2019, the scope widened to include all apps distributed on the platform, with payouts reaching $20,000. While termination of the program raises questions about the future of the overall security posture of the Android ecosystem, Google said it will continue to invest in various security initiatives, including the Android Vulnerability Rewards Program (AVRP) which focuses on the underlying Android OS.
Thanks to today’s episode sponsor, Nudge Security
Stop guessing with Nudge Security. Discover all SaaS accounts ever introduced by anyone in your org, in minutes and get alerted when any SaaS app used in your org is breached.
Start a 14-day trial now at nudgesecurity.com/saas
Poisoning LLMs to create insecure code
At the USENIX Security Symposium, a team of academic researchers presented details CodeBreaker, a set of techniques to poison large language model training sets to make them more likely to suggest vulnerable code. This saw the researchers systematically create code samples that don’t register as malicious with static analysis tools. This builds on previous research that used malicious code in comments and split workloads to introduce vulnerabilities to the training set. Of course, this kind of poisoning isn’t new. Research has previously found malicious code popping up in StackOverflow tutorials. And given the lack of quality control when ingesting code scaped from the internet, vulnerable code suggestions are already a reality in these training sets.
Microsoft breaks Linux dual-boot systems
File this under “This is why we can’t have nice things.” Last week, Linux users reported boot failures on machines running both Linux and Windows. This came as a result of issues with a patch to a two-year-old secure boot bypass vulnerability on devices with the open-source GRUB bootloader installed. Microsoft said the update would only install an SBAT to revoke components in the boot path causing the issue on systems with only Windows installed, but multiple Linux distributions dual-booted with Windows, including Debian, Ubuntu, and my beloved Puppy Linux saw boot issues. Disabling Secure Boot or deleting the SBAT Microsoft pushed in the update remediates the issue, but so far no comment from Microsoft on the issue.
Double Story:
Windows Recall to reappear
Microsoft is deploying an updated version of its Recall feature, which had been initially announced this spring and immediately derided by industry analysts as keylogger or spyware. The idea behind Recall was to take snapshots of a user’s desktop every few seconds as tool for keeping track of things. It was removed from widespread Copilot+ PC release on June 13, but is now being deployed to testers in coming weeks. Microsoft has not fully clarified how the new version will differ but has said it will include “just in time” decryption and that Windows Insiders would need a Copilot+ PC.
Unified Teams app connects personal, work accounts
A new unified Teams application launched by Microsoft “allows Windows and Mac users to switch between personal, work, and education accounts without installing multiple apps, and also helps users switch between accounts without signing out and signing in again and allows them to join meetings without logging into an account. Microsoft Teams will be available as a single application, enabling users to seamlessly switch between multiple cloud environments, tenants, and account types across personal and work,” the Windows Insider team said.