Well, it’s been a wild and wooly week for security, especially for Face ID, which a group of hackers at a Vietnamese security firm convincingly claim to have broken just a week after the iPhone X release. They’re joined by a 10-year-old boy, who managed to break into his mother’s iPhone X thanks to a little trick known as genetics.
Amazon Key also turns out to be less secure than advertised; researchers discovered that a tech-savvy deliveryman could not only disable your camera, but freeze the frame, allowing them unfettered access to your house. And OnePlus smartphones—literally all of them except the first model—shipped with an app that’s essentially a backdoor, allowing root access to anyone who gets their hands on your phone. Both companies say a fix is incoming.
Another fix that’s in the works: The emergency alert system, which has been broken for years thanks to resistance from the telecom industry. Progress has finally started to materialize—though maybe still not fast enough. The government’s also making wee progress on its vulnerability disclosure process, but newfound transparency doesn’t totally alleviate concerns.
Remember WikiLeaks? They tried to turn Donald Trump Jr. into a source during last year’s presidential campaign, which should come as a surprise to approximately no one. And speaking of memory, Jeff Sessions has the worst one we’ve seen in a while; we rounded up the 47 things he told Congress—under oath—he didn’t recall this year.
Use Facebook? Take a minute to tweak your settings this weekend for maximum privacy. Also, be sure to check out this month’s magazine cover story, an in-depth look at the case of a woman who suffered extreme digital harassment
And there's more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
The bad news: The Pentagon left a database exposed that contains at least 1.8 billion documents. The very good news, in this context: The stash primarily comprised news stories, Facebook posts, internet comments, and other public-facing digital detritus. No government secrets, as such. The data, discovered by Chris Vickery of UpGuard, goes back eight years. And while the contents aren’t exactly devastating, the fact that the Pentagon used a third party to store its files and flubbed the set-up does stoke concerns about its overall cyber posture. The good news is, DoD has finally started to let hackers into its life through a robust bug bounty program. Maybe one of them can help keep this from happening again.
We already knew that an NSA contract made a serious goof by bringing his (classified) work home with him on his personal computer, which allegedly let Russia steal state secrets that got swept up in a Kaspersky antivirus sweep. But a new report from Kaspersky claims that it’s even worse than it first seemed; Motherboard reports that Kaspersky says the unnamed contractor had at least 120 malicious files on his computer. That opens the door to the possibility that not just Russia, but any number of sophisticated state actors could potentially have compromised his machine, and stolen NSA info in the process. Which again just goes to show that putting that much faith in contractors maybe isn’t such a hot idea.
Popular drone manufacturer DJI kept a copy of the private key for the HTTPS certificate for its site on GitHub, fully viewable, for as long as four years, according to security researcher Kevin Finisterre. The company also left its AWS credentials exposed. The full effect: Not only could hackers use the HTTPS certificate key to pull off man in the middle attacks, they could have found personal info of DJI customers in the cloud. Not ideal! DJI told The Register that they’ve hired an outside firm to help manage the situation.
Antivirus software gets a bad rap sometimes, although not for no reason. Giving any program that much access to your computer exposes you to all kinds of potential calamities. One researcher has found a new example of AV’s issues, a vulnerability he calls AVGater. The way it works: Compromise an AV program, have it quarantine a bit of malicious code, then put that code somewhere it doesn’t belong. The researcher, Florian Bogner, says that about a dozen popular antivirus programs were subject to the attack, which he used to get local admin privileges. Several antivirus vendors have already fixed the vulnerability, but Bogner says he’s found seven more that are affected that haven’t yet worked through a fix.
