Apple and Google trade barbs over bugs, digital lothario arrested and Bluekeep gets busy

Also, XKCD forums hacked and Monster monstered

Roundup Here's a look back at some of the latest security bits and bobbles besides the stuff we already covered over the past week.

That's the way the Cook, he grumbles

Apple isn't taking too kindly to Google's decision to disclose a family of security vulnerabilities that were under active attack by Chinese authorities seeking to monitor targeted groups within the country.

On Friday the Cupertino phone flinger issued a statement to criticize Google over the Project Zero report on the flaws and the way it described issues Apple says it long ago addressed.

"Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case," Apple said.

In response, Google issued its own statement in defense of its research team and their decision to issue the report.

"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies," Google said.

"We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities."

Neither statement made mention of the targeted populations in China who were subjected to years of government monitoring.

Con-man Casanova cuffed, charged in $2m dating scam

A man from New Jersey has been charged for allegedly scamming more than $2m out of people on dating websites.

Rubbin Sarpong, 35, was said by prosecutors to have run the scheme in combination with conspirators in Ghana who helped lure the victims to splashing out cash and then process the payments. Sarpong and his crew are accused of duping more than 30 victims, each time by playing with their emotions via dating sites.

"After establishing virtual romantic relationships with victims on the online dating platforms and via email, the conspirators asked them for money, often for the purported purpose of paying to ship gold bars to the United States," prosecutors allege. "Although the stories varied, most often Sarpong and the conspirators claimed to be military personnel stationed in Syria who received, recovered, or were awarded gold bars."

The scam worked so well that it is alleged the crew made more than $2m, of which $823,386 was deposited directly into Sarpong's own bank accounts. He faces one charge of conspiracy to commit wire fraud and, if convicted, could spend up to 20 years behind bars.

XKCD forums hacked

A bit of an embarrassing turn of events for beloved nerd comic XKCD: the site says its forums have been hit by hackers who were able to make off with some basic user details.

"The xkcd forums are currently offline. We've been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration," the site said.

"We’ve taken the forums offline until we can go over them and make sure they're secure. If you're an forums user, you should immediately change your password for any other accounts on which you used the same or a similar password."

While the passwords were encrypted, it wouldn't be a bad idea to make sure those credentials were not reused for other sites.

Still haven't patched BlueKeep? Now would be a great time

The Windows RDP vulnerability known as "BlueKeep" just got a bit more dangerous, thanks to the release of a MetaSploit module that will make the flaw even easier for attackers to exploit in the wild. Other researchers, notably controversial British talent Marcus Hutchins, have also published research.

Having the bug included in the exploit kit will lower the bar for targeting the flaw and will make it easier for criminals to go after end users. If you haven't updated your PC to patch the bug, now would be a good time.

NHS loses 2,000 records from gender identity clinic

The Guardian reports that an NHS-run gender identity clinic in London has managed to lose the email addresses of some 2,000 patients currently in the process of transitioning. While no other patient details were lost, the disclosure of email addresses alone are cause for concern given the personal nature of the clinic's practice.

Man pleads guilty in hare-brained Trump tax hack scheme

Andrew Harris, one of the two college students caught trying to hack President Donald Trump's tax records back in 2016 has pleaded guilty to two counts of computer fraud. He could face up to two years in prison when he is sentenced later this year.

Harris and co-conspirator Justin Hiemstra were cuffed in 2016 when they tried to get hold of the US president's tax records by setting up a fraudulent financial aid application for one of his family members.

Hiemstra pleaded guilty to the same charge last month.

Monster partner leaks CV data

Job-hunting site Monster says one of its clients is to blame for the disclosure of CVs for job seekers.

Apparently one company that had purchased access to CVs from job seekers left some of the files out in the open, only to be stumbled upon by researchers looking for exposed storage buckets. Seeing as CVs are, by nature, handed out to complete strangers all the time this isn't a huge deal, but it's definitely not a good look for Monster.

Facebook Android app caught scooping device details

Not that we're surprised anymore when Facebook is caught digging into user devices for info, but the Social Network is the subject of a report from security pro Jane Manchun Wong, who found that the Android version of the Facebook mobile app was collecting diagnostic information from hundreds of Android libraries.

As Wang notes, the collected information is mostly technical data from various phone components, not personal information or media files. This may not be a huge violation of privacy, but the app certainly is a bit more nosy than most people would like. ®

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022