Security News for the Week Ending December 21, 2018
Patches This Week
Microsoft issued an emergency out of band patch for an Internet Explorer zero day bug that affects IE 9, 10 and 11 on Windows 7,8,10 and the related server versions. The bug allows a hacker to remotely execute code by getting a victim to view a web page, HTML document, PDF or other file that is rendered by IE’s scripting engine. See details here.
The developers of the most popular database in the world based on the number of installations, SQLite, released a patch that fixes a bug that affects millions of distinct apps and billions of installations, including the Chrome browser on Windows, Macs, iPhones and Android devices. Read the details here.
Taylor Swift Spies on Her Fans
In the turnabout is fair play department, Taylor Swift’s security team used facial recognition technology at (at least) one of her recent concerts to sniff out stalkers. Using a kiosk of rehearsal videos with a spy cam embedded in it, Swift’s team took photos of everyone who watched the video and compared it to a database of suspected stalkers. They did not report if they found any or what they did with the images after the concert. Since a concert is likely considered a public venue, customers probably have no expectation of privacy, so Swift would not need to disclose that she was using video surveillance. Source: The Register.
Marriott Breach Traced to China
What do the Office of Personnel Management breach and the Anthem breaches have in common with the Marriott breach? According to some sources, they are all traced back to China. The Marriott breach is now being traced to China’s Ministry of State Security, China’s civilian spy agency.
Their objective is to build up massive dossiers on hundreds of millions of Americans to use in future attacks. Like OPM, like Anthem, much of the Marriott data – like when you traveled, where you traveled, how long you stayed, who was at a particular hotel at the same time (mistresses, spies, information leakers and otherwise), all ages quite well.
All of this in spite of pressure being exerted by the Trump administration on China to stop hacking us. Is the pressure just making them hack us even more? Not clear, but it doesn’t seem to be helping much. (Source: the New York Times).
Muslim-American U.S. Citizen is Suing U.S. Government for Detaining Him at the Airport
A Muslim-American traveler was detained at the Los Angeles airport (LAX) while trying to board a flight to the Middle East. Customs asked him a bunch of questions, searched his luggage and wanted him to unlock his phone, which he initially refused. He was handcuffed and detained for four hours and missed his flight. When he asked if he was under arrest and needed a lawyer and was told no. Eventually, after many hours, he relented and unlocked his phone. CBP examined the phone and possibly imaged the phone.
Since he is a natural born U.S. citizen there are limits to what CBP can do, but it is interesting that he was leaving the U.S. and not entering it when he was detained,
He is now suing the U.S. government. That is always a dicey deal, so I would doubt that this is going to go very far, but it is interesting. Source: The Register.
Facebook Shared Your Data with 150 Partners Without Telling You
The Times is reporting that Facebook was sharing your messages, contact information and friends with around 150 vendors including Netflix, Spotify, Microsoft, the Royal Bank of Canada and many others. Facebook says that they didn’t do that without users permission, but if they did ask for permission, it was not in a way that anyone was aware that they were granting it. Facebook says they only did that to improve your Facebook experience (i.e. sell more ads) and that most of these programs have been terminated (since it was completely above board – not). Facebook says this did not violate their 2012 consent decree with the FTC, but likely the FTC will decide whether that is true on their own. Facebook did admit that this raises user trust issues. Likely true. Source: HuffPo.