This week in security, we took a long look at a long-running scam: A man who hacked his way into at least 78 hotel rooms over the course of several years, thanks to a known bug that let him slip in and out like a ghost. Or if you’re into something a little more whimsical, we found what very much appear to be the Amazon Wish Lists of several of Donald Trump’s inner circle. Something for everyone! And there’s so much more.
The alt-right has said they came to Charlottesville with peaceful intentions, but online chats leading up to the event suggest at least some of them had violence on the brain. North Korean president Kim Jong-Un appears to have had a similar mindset this week, sending a missile over Japan with no warning, a direct and defiant response to Trump’s previous nuclear bluster.
Thinking more locally, it turns out to be alarmingly easy to steal money off of gift cards. The rates that prisons charge inmates to conduct video chats with loved ones are so exorbitant that they amount to a different kind of theft. We also took an in-depth look at how the Android Security team helped fortify the recent Oreo release—and took big steps to help solve the operating system’s ongoing fragmentation woes.
Of course, there’s more, which is why we’ve rounded up all the news we didn’t break or cover in depth this week. As usual, click on the headlines to read the full stories, and be safe out there.
While it’s not clear exactly which celebrities were impacted, Instagram acknowledged this week that a bug in its API allowed hackers to get their hands on the phone numbers and email addresses of “high-profile” Instagram users, which presumably means verified accounts. No passwords were compromised, and Instagram says it has contacted all impacted accounts. The worst-case scenario here would be some semi-elaborate social engineering that led to an account takeover, but mostly, if you’re famous, you might want to change your number.
It turns out that digital security gets pretty messy after we’ve put computers in our pockets, our cars, our door locks—and perhaps most of all, our bodies. There’s no better evidence of that than hundreds of thousands of people with heart conditions being told by the US government that they need to update their pacemakers’ firmware or face a potentially deadly hacker attack. This week the FDA warned 465,000 people with pacemakers made by St. Jude Medical, now owned by the healthcare company Abbott, that they’d need to visit a doctor who can perform a firmware update on the digital devices in their chests designed to fix a critical security vulnerability in those life-saving gadgets. Last year the hedge fund Muddy Waters revealed with the help of the security consultancy MedSec that St. Jude’s pacemakers were vulnerable to hackers who could take control of the software used to configure the pacemakers and wirelessly attack them from as far as 100 feet away. That would allow hackers to disable the pacemakers or even use them to deliver potentially fatal electric shocks. While Muddy Waters used that revelation as an opportunity to short-sell St. Jude’s stock in a controversial move, their findings were nonetheless backed up by security firm Bishop Fox, which independently tested the pacemakers. The FDA’s announcement this week means that pacemaker patients now have a solution to that cardiac security threat—but one that requires a doctor’s appointment rather than a mere internet update to implement.
Spam scourges are not new to the internet. But the recently discovered Onliner spambot looks like a particularly nasty specimen. The list comprises 711 million records, which include email addresses and, in some cases, passwords as well. The spambot sends emails to each of those accounts that contain a single, invisible tracking pixel, which sends back details about the target’s operating system. That helps an attacker know who to target with so-called Ursnif malware, which only affects Windows devices. What makes Onliner particularly insidious is its ability to circumvent spam filters, by using confirmed email addresses gleaned from previous public breaches to disseminate the spam. Bad times! As always, don’t open emails from people you don’t trust, and if you do, set your inbox to block images to make it harder for pixels to track you.
Kaspersky may be under constant suspicion—and even an FBI investigation—due to its ties to the Kremlin, but that doesn’t stop it from occasionally exposing Russian hacking operations. This week the company revealed that in February it alerted its customers to a hacking operation it called WhiteBear, which it believes is likely a subgroup of the hacking team Turla, believed to be employed by the Russian government. The WhiteBear operation penetrated a series of embassies and consulates around the world from February to September of 2016, Kaspersky’s analysts say, but switched to targeted military organizations in the first half of 2017. Kaspersky has been under FBI investigation for possible ties to the Putin regime, and the cybersecurity industry has repeatedly warned that its antivirus software could be used for covert spying. But the WhiteBear report should serve as a counterexample to anyone who describes Kaspersky as a simple pawn of Kremlin spy agencies, and it’s not the first time Kaspersky has exposed Russian spying. At its Security Analysts Summit in April, the company’s researchers detailed connections between Turla and a 20-year-old backdoor used in Russia’s global spying operation known as Moonlight Maze.