In Brief The murder of Washington Post columnist Jamal Khashoggi, which is said to be have been aided by digital surveillance, was ordered by the head of the Saudi Arabian government, US intelligence has publicly asserted.
Khashoggi, a critic of the ruling Saudi Arabian royal family, was ambushed and assassinated in 2018 when he visited the Saudi embassy in Istanbul thinking he was collecting paperwork for his upcoming wedding.
Last week, Uncle Sam's Office of the Director of National Intelligence (ODNI) released a statement fingering Crown Prince Mohammed bin Salman for orchestrating the killing, which a lawsuit claims was aided by tracking technology provided by spyware biz NSO Group. Saudi-born Khashoggi was a legal US resident on an O-type visa reserved for foreigners of exceptional ability and achievements.
The Crown Prince, according to the UN, also had Washington Post owner and Amazon supremo Jeff Beozs's iPhone hacked to dig up dirt on the American billionaire.
Warning: Cisco app services insecure due to critical flaw
If you're running Cisco Application Services Engine release 1.1(3d) and earlier, it's time to get patching: anyone who can reach a vulnerable installation can hijack it.
"Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes," Switchzilla warned in a Wednesday advisory.
The remote-control flaw was assigned CVE-2021-1393, and is rated 9.8 out of 10 in severity on the CVSS scale. Another bug, CVE-2021-1396, rated 6.5, can be exploited to grant an "unauthenticated, remote attacker access to a specific API on an affected device."
Stormy weather for boat-builder Beneteau
Some boat building staff at top-tier French shipwrights Beneteau have had the week off after production facilities were shut down in response to a cyber-attack. Last week, the group warned it has suffered "a malware intrusion affecting some of its servers," and was having to shut down a number of departments to stop the software nasty from spreading further.
"Accompanied by experts and the relevant authorities, the group’s teams are fully mobilized to address the consequences of this attack," it said. "Firstly, the deployment of a backup application and systems will enable activities to start up again securely, but in degraded mode. Alongside this, investigations will continue moving forward with a view to fully restoring all of the Group’s systems."
That doesn't seem to have been easy. By Thursday, the boating biz posted an update saying work is still ongoing, and it might reopen some plants on Friday. Its manufacturing facilities in France have been particularly hard hit, it said.
Keybase patches image bug
A quartet of security boffins going under the name Sakura Samurai found the desktop app of Zoom-owned encrypted comms biz Keybase stores images in plaintext in temporary files. This shortcoming is present in the Windows, macOS and Linux builds of the code. The upshot is that if you encrypt and send a sensitive picture to someone via Keybase, delete your copy of the file, and then someone breaks into your computer somehow, they could view the pictures in plain-text in a cache.
"A user, believing that they are sending photos that can be cleared later, may not realize that sent photos are not cleared from the cache and may send photos of PII or other sensitive data to friends or colleagues," the team noted.
"In addition, there are legal ramifications to such storage of information. For example, Keybase is presenting itself as a secure end-to-end encryption solution. A vulnerability in such a sense could lead to private data being used in court cases against individuals, destroying Keybase’s reputation as a secure and private communication platform."
Users will need to update to Keybase 5.6.0 or later for Windows and macOS, or Keybase 5.6.1 or later for Linux. Updating is usually automatic for Windows and macOS users.
NSA advocates zero trust
The American government's top hackers have issued a memorandum, advising organizations' infosec teams to trust no one, and that zero trust in security is the way to go.
Always question inputs and outputs, verify sources before trusting, and lock down networks so that the participants always have to verify who they are, the NSA stated. The agency has, incidentally, long held an internal network security posture of always assume you're compromised in some way and compartmentalize and defend from there, so this advice isn't too surprising.
"To be fully effective to minimize risk and enable robust and timely responses, Zero Trust principles and concepts must permeate most aspects of the network and its operations ecosystem," it said. "Organizations, from chief executive to engineer and operator, must understand and commit to the Zero Trust mindset before embarking on a Zero Trust path."
This applies particularly in the case of supply chains, the agency warned. As we've seen in the SolarWinds fiasco, and most recently with stolen military designs thanks to Accellion's failings, admins need to be a lot more suspicious of applications and users.
Gab patches database hole amid hack claim
Gab, a digital haven for far-right internet outcasts, has patched a hole in its backend systems that was seemingly used to siphon people's public and private user data.
In a blog post on Friday, Gab CEO Andrew Torba said it was claimed "an archive of Gab public posts, private posts, user profiles, hashed passwords for users, DMs, and plaintext passwords for groups have been leaked via a SQL injection attack. We were aware of a vulnerability in this area and patched it last week. We are also proceeding to undertake a full security audit."
An activist group called Distributed Denial of Secrets said 70GB and 40 million posts were harvested from Gab by a netizen. Photos and videos weren't taken. Gab, like Parler, is home to conspiracy theorists and insurrectionists linked to the January 6 storming of the US Congress building by supporters of now-ex-President Donald Trump. "It's another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon and everything surrounding January 6," DDoS's Emma Best told Wired of the stolen data.
Torba first said he had no evidence a security breach had occurred, and then on Sunday complained his and Trump's hashed account passwords had been accessed. ®