OpenSSL patches, Apple bug fixes, Hilton's $700k hack bill, Kim Dotcom raid settlement, Signal desktop app, and more

Happy weekend, everyone, except those of you on call, of course. Let us catch you up on all the IT security bits and pieces besides what's been reported this week.

Down in New Zealand, Kim Dotcom, the bête noire of Hollywood, reached a settlement with the New Zealand authorities over a rather dramatic raid in 2012 on his home. Cops flew in with guns and dogs to arrest Dotcom and found him hiding in his panic room.

The terms of the settlement haven't been announced, but Dotcom's lawyers said the police have promised to review their tactics. Dotcom said he hopes to make his permanent home in New Zealand. Maybe Peter Thiel will be a neighbor?

Email ennui

As seems to be so often the case these days, emails became news items this week. First off, President Donald Trump's daughter Ivanka came under the spotlight for using her personal email for US government business. This isn't the first time she's been warned on this, and details emerged from a freedom-of-information request that she was still using her personal inbox for conversations with treasury department officials.

However, it was Hillary Clinton's emails that sparked the bigger headlines. An investigation into the hacking of the Democratic Party revealed some interesting snippets, notably that Guccifer 2.0 actually edited the contents before passing them on to WikiLeaks for dissemination.

The infiltration of the party's computer systems began on March 10 last year, and at first weren't that well targeted. The hacker, or hackers, impersonated Gmail's technical support personal to trick party officials into handing over their account passwords, and, as we all know, it only takes one cockup for a hacking campaign to take hold.

But Hillary and the Democrats weren't the only target of the hackers. Kremlin-linked miscreants also reportedly went after foreign journalists, US military contractors, and even the Pope's personal envoy to the Ukraine.

In addition, Twitter announced it has identified 2,752 accounts [PDF] on its milliblogging platform that were fakes set up to cause mischief by Russia's Internet Research Agency – aka Putin's troll central. Some of the handles amassed thousands of followers, who are presumably feeling somewhat red-faced over being duped. Among them was Jenna Abrams, a master troll princess who duped journos and the rest of the world.

Fatal flaws

On the flaws front, it has been a busy week – thanks in part to the mobile phone version of the Pwn2Own competition run in Japan. Hackers fly in from around the world to win big money compromising gear by exploiting zero-day vulnerabilities, and weren't disappointed - $515,000 was paid out in bug bounties.

The contest saw some innovative hacks, including the longest attack chain ever seen in the competition. MWR Labs linked together 11 bugs in six different apps to harvest data from a Samsung Galaxy S8, and several iPhones also fell to the infosec gurus. The good news is that all the exploited bugs have been reported privately to the affected software and hardware makers, so look out for patches coming soon for these leveraged holes.

Separately, Apple released a big pile of security updates for its shiny gear. In all, seven patches were released, fixing multiple issues with macOS, iOS, Safari and iTunes. You can review the whole list here – download and install them as usual.

Google had its own software cockups. A cunning hacker managed to find flaws in Google's internal bug tracker, which it uses to manage issues and vulnerabilities with its vast sprawling empire of code. Security researcher Alex Birsan found out about the system and went digging. He not only found enough coding errors to allow him to get into the confidential database, but also to win him $15,600 in rewards from a grateful Google, which has traditionally been a strong supporter bounties.

(Speaking of Google, Pixel 2 XL handsets shipped with no operating system installed. Oops!)

OpenSSL also had its own issues this week. A moderate, but still important, flaw has been found in how the code handles encryption, to the extent that if it was applied an attacker with enough computing power, it could get some serious hacking done.

Hacking the home

The week began with the FBI warning of a new type of hacking that can earn the criminal scum big money and leave people with serious losses. The scammers are now targeting home buyers.

It works like this. The hacker gets onto the network of the realty agent selling a house – a profession not known for its IT prowess. When someone buys it, the hackers change the details of the payment account receiving the funds to one they control and then make their getaway, leaving everyone out of pocket.

Lovesense, the manufacturer of a mobile-phone operated vibrating butt plug, took issue with stories of how it can be hijacked and set off remotely because it's so easy to hack. On a reconnaissance mission in Berlin, the hackers found an open device that could have been activated.

Now the manufacturer has hit back, saying that it's almost impossible to hack into its devices. The company pointed out that it was Bluetooth at fault, not the device, the attacker would have to be within 30 meters of their target, and that if they had connected it to their phone then there was no chance of the device becoming a pain in the arse.

As for the consequences of hacking, Hilton Worldwide agreed to settle with the authorities for allowing not one but two hacking attacks to take place. The hotel group agreed to pay a total of $700,000 to New York State for allowing customer's credit cards to be stolen, and for not reporting it in time.

Finally, good news for fans of the secure messaging service of choice for hackers and those that work in the field – Signal. The service had a brief outage last week, and this week announced that it has a desktop app now.

This is welcome news, but you do have to have the mobile app on your phone for it to work. That said, it's the most secure messaging app out there and it's run by people who won't sell you out to the highest bidder. ®

PS: Don't miss the Microsoft staffer who, during an Ignite presentation on Azure, stopped to install Google Chrome because Edge just wasn't working properly with the Redmond cloud. Oops. It's 37 minutes in from this vid below...

If you haven't seen it: Microsoft bod installed Chrome during an Azure talk because Edge kept crashing (ff 37min) https://t.co/b2USWlWleY

— The Register (@TheRegister) October 31, 2017