This week was filled with wide-scale calamity. Hundreds of millions of PCs have components whose firmware is vulnerable to hacking—which is to say, pretty much all of them. It's a problem that's been known about for years, but doesn't seem to get any better.
Likewise, Bluetooth implementation mistakes in seven SoC—system on chips—have exposed at least 480 internet of things devices to a range of attacks. IoT manufacturers will often outsource components, so a mistake in one SoC can impact a wide range of connected doodads. The most troubling part, though, is that medical devices like pacemakers and blood glucose monitors are among the affected tech.
YouTube Gaming, meanwhile, wants to take Twitch's crown as the king of videogame streaming. But its most-viewed channels are almost all scams and cheats, a moderation challenge that it'll have to take more seriously if it wants the legitimacy it's spending big money to attain. In another corner of Alphabet's world, hundreds of Chrome extensions were caught siphoning data from people who installed them, part of a sprawling adware scheme.
WIRED reported exclusively this week that US officials have pinned a wave of cyberattacks against the country of Georgia on Russia's notorious Sandworm hackers. The hack itself was brazen—defacing 15,000 websites and disrupting two TV networks—but the attribution serves mostly as a warning to Russia that it shouldn't attempt the same sort of malarky stateside.
With the firing of director of national intelligence Joseph Maguire this week, Donald Trump has continued his gutting of senior national intelligence positions. Probably not a great strategy in the long run, especially since Russia is actively supporting both Trump and Bernie Sanders this year, just like they did in 2016. (In fairness, they only want Trump to actually win.)
And that's not all! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
Researchers at McAfee have demonstrated a new spin on an old trick. By subtly tampering with a speed limit sign—in this case, literally adding a two-inch strip of black tape—they were able to trick the Mobileye EyeQ3 camera on a 2016 Tesla Model X and Model S into feeding bad information to the vehicles' autonomous driving features, sending both cars into a rapid acceleration. It's a low-tech version of the well-known problem of adversarial examples, image alterations that cause machine learning systems to misinterpret data. (Intel, which owns Mobileye, disputes that it's an adversarial attack, since the tape could have fooled a human eye as well.) The good news is that the problem doesn't affect 2020 Teslas, which no longer use Mobileye technology, and newer versions of the Mobileye camera seem impervious as well. That doesn't help older models, though, which remain susceptible to the shenanigans below:
Ransomware has long targeted victims that have the most to lose. That's typically meant hospitals and governments. But lately hackers have targeted another sensitive field: critical infrastructure. The latest example comes from the US Cybersecurity and Infrastructure Security Agency, which reported this week that a natural gas compression facility went down for two days as they grappled with a ransomware infection. There's not really any good news here, but it certainly could have been worse; the hackers appear not to have targeted industrial control system components specifically. They got lucky with a phishing email, and were only able to impact the Windows-based portions of the victim's network.
If you stayed at an MGM Resorts hotel sometime before 2017, the bad news is that someone hacked one of their servers and stole data relating to over 10 million guests. The worse news is that said data has since been discovered in an online hacking forum, as first reported by ZDNet. The haul includes names, addresses, phone numbers, emails, and dates of birth, and celebrities, politicians, and journalists are among those affected. (Sorry, Jack Dorsey!) It could have been worse—no financial information appears to be involved—but as with any breach, look out for phishing attempts or identity theft.
Adware is like gnats: everywhere, annoying, impossible to get rid of but relatively harmless. But you still have to try, which Google did this week by expelling nearly 600 apps both from the Play Store and its ad networks. That includes 45 apps from a single developer, China-based Cheetah Mobile. Google cited "disruptive ads" as the reason for the removal, framing it as part of a broader crackdown on fraudulent behavior.
In other data compromise news, the Defense Information Systems Agency—which provides secure communications support to the US president and military—informed potential victims this week that their Social Security numbers may have been part of a breach that occurred between May and July 2019. They'll spring for free credit monitoring if you were affected, but honestly you've already got that through Marriott or Equifax or take your pick, right?