It’s often said that breakfast is the most important meal of the day. You know what goes well with the most important meal of the day? The most important headlines of the week. Byte Sized News is a great way to start your morning as a security professional or a fan of the industry. Get your weekly dose of cybersecurity news and updates in Byte Sized News, the perfect complement to a few flapjacks and a hot cup of coffee.
We’ve got a great lineup of stories this week. First off, we’ll talk about an update to the group everyone loves to hate: the NSA. Additionally, we’ll get updates on a new batch of joker spyware, a Darknet moderator sentenced to heavy jail time, and much more. It was a busy week for cybersecurity, so you’ve come to the right place to get the news in a condensed, simplified format.
As always, this series isn’t intended to provide readers with details on every story and topic but rather to fill busy professionals in on the most compelling developments in the field.
Our first article from the week comes from Threatpost and talks about the notorious NSA snooping scandal. This article, more specifically, talks about a U.S. federal appeals court rules that the NSA mass surveillance program, which was exposed in 2013, is illegal, and might have even been unconstitutional. The NSA had long argued that their actions were justified because the surveillance program stopped terrorist attacks, but the courts did not agree with that sentiment. This decision comes seven years after popular NSA whistleblower Edward Snowden outed this surveillance program. This program ended up snooping on millions of American’s phone calls. Understandably, this program received widespread criticism and led to many discussions about our lack of privacy. Snowden responded to this news on Twitter. “Seven years ago, as the news declared I was being charged as a criminal for speaking the truth, I never imagined that I would live to see our courts condemn the NSA’s activities as unlawful and in the same ruling credit me for exposing them. And yet that day has arrived,” Snowden declared. While the NSA sticks to the belief that their efforts helped foil many terrorist attacks, specifically referencing the Basaaly Moalin case, the U.S. appeals court ruled that the NSA’s contribution did not play a pivotal role in that case and might have even violated the Constitution’s Fourth Amendment, which protects against unreasonable searches and seizures.
Our next story from the week also comes from Threatpost. This post details six apps that have been removed from the Google Play store but that could still threaten 200,000 installs. Google themselves deleted six apps from their app store this week because they were infecting users with Joker malware (aka Bread). The fronts for these apps were varied, ranging from a texting app to an emoji wallpaper. However, their true purpose was extremely unified: to infect victims with malware. While the apps have been completely purged from the store, this doesn’t mean they can’t still do damage. Researchers say that the versions of the apps still installed on the phones of victims could still be at risk of compromise and urged users to immediately delete the apps. “Most apps embedding Joker malware are programmed to load and execute external code after being published on the store,” Roxane Suau, with Pradeo, told Threatpost. “First, these apps are riddled with permission requests and submitted to Google Play by their developers. They get approved, published and installed by users. Once running on users’ devices, they automatically download malicious code. Then, they leverage their numerous permissions to execute the malicious code.” The apps you will want to delete include Convenient Scanner 2, Separate Doc Scanner, Safety AppLock, Push Message-Texting & SMS, Emoji Wallpaper, and Fingertip Gamebox.
Moving on with our next story brings us to one on the Darknet from InfoSecurity Magazine. This individual, an American employed to moderate disputes on an illegal darkness marketplace, was sentenced to 11 years in prison this week. Bryan Connor Herrell was hired by AlphaBay to settle arguments between vendors and purchasers. These purchases included many illegal items, including guns, drugs, credit card numbers, stolen identities, and much more. At the time of Herrell’s employment by AlphaBay they were the world’s largest online marketplace for drugs. The 26 year-old also worked as a scam monitor for the company, looking to protect AlphaBay users from fraud transactions. Previously Alexandre Cazes, the founder of AlphaBay, was indicted on crimes back in 2017. He was found dead just days after his arrest and just hours before he was due to meet with prosecutors. US Attorney McGregor Scott of the Eastern District of California said of Herrell’s arrest this week, “This sentence serves as further proof that criminals cannot hide behind technology to break the law.”
Our second to last article from the week comes from Cyber Scoop. This article details a new order coming directly from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). This order gives agencies six months to set up vulnerability disclosure policies (VDPs). These VDPs are official programs to work with outside security researchers to find and fix software bugs. While this practice is commonplace in the private sector, only a handful of federal civilian agencies currently have these programs implemented. On Wednesday CISA issued the directive, which requires agencies to establish VDPs that forswear legal action against researchers who act in good faith, allow participants to submit vulnerability reports anonymously and cover at least one internet-accessible system or service. This action is the latest in a string of moves signalling that federal officers are warming up to the idea of “white-hat” ethical hackers that come from a variety of backgrounds.
Our last article from the week is another one from InfoSecurity Magazine. This article details a one year compliance deadline for the newly introduced Age Appropriate Design Code or Children’s Code, which aims to protect the privacy of children on the Internet. This new code will apply to any business providing “online services and products” likely to be used by UK kids under the age of 18. This code follows the GDPR principle of “security by design,” and will outline 15 standards for online development so developers have a “baseline of data protection” when individuals visit a website or open an application. “This code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place,” said Information Commissioner Elizabeth Denham. The requirements for the code include geotagging being turned off by default, bare minimum data collection, and no sharing of this data unless there’s a compelling reason to do so.