Sign up to our newsletter
This week in security, we covered a full range of privacy and malware, with controversial plans to equip police officers with facial recognition packed Google Glass in Dubai, and the BadUSB malware finding its way on to GitHub. We also reported on the good news of a patch locking out a long standing, but only recently discovered, exploit in Bugzilla, the open-source bug reporting tool which may have offered “a veritable gold mine of vulnerabilities that would be highly prized by cybercriminals.”
The week began with the extremely concerning news that a varient of the BadUSB malware which was demonstrated to make any USB port a malware entry point had been posted to GitHub by security researchers Adam Cadill and Brandon Wilson, in order to try and force a fix.
As we reported at the time, this may sound risky but it isn’t actually against the site’s Terms of Service, with a GitHub spokesperson saying to ReadWrite: “Security researchers often release a proof of concept to raise awareness of the vulnerability in the security community, and to encourage people to protect themselves. A repository that contains a proof of concept but isn’t maliciously or covertly distributing malware would not be in violation of our terms of service.”
A fix – of sorts – was actually announced shortly after by the same researchers who uploaded it, but as it involves a patch to disable Boot Mode which only works with Phison’s USB 3.0 firmware, followed by using epoxy to physically alter the drive, it’s far from a fix for everyone.
From our very own ESET Research team came the news that the Sednit espionage group has graduated from using spear-phishing emails to a custom exploit kit.
“In recent years, exploit kits have become a major method employed to spread crimeware, malware intended for mass-scale distribution to facilitate financial fraud and abuse of computing resources for purposes such as sending spam, bitcoin mining, credentials harvesting etc,” writes our researchers in a thorough post which goes on to explain what indicators to look for, for those concerned of compromise.
A long-standing Bugzilla issue which could have provided “a veritable gold mine of vulnerabilities that would be highly prized by cybercriminals” was found… and swiftly patched this week.
The exploit allowed attackers to bypass the developer registration process, and then to gain privileged information by faking an email address on the domain of their targeted Bugzilla installation.
The issue affected all versions of Bugzilla dating back to version 2.23.3 from 2006, but Mozilla stated that – for their original version at least – the exploit would not have worked stating that it was impossible for them “as their installation does not send bug reports to all domain addresses”. They conceded it’s theoretically possible on custom installations where bugs are sent ‘to all employees’ however.
Patches were quickly made available on Monday, which you can download from the Bugzilla site.
In a look into what may be in the future of malware, Professor Giovannia Vigna from the University of California stated his belief that malware may begin to offer genuinely useful functionality… but only while its establishing if it on a real computer, or a security researcher’s.
An example of this might be a defragger functioning as intended, flying under the radar making calls which may not be unexpected as they would be from, say, a text editor.
Vigna has yet to see any software trying this trick, but it seems the next logical step from his perspective.
The police force of Dubai are due to be fitted with Google Glass equipped with facial recognition software to catch wanted criminals.
Initially the plan is to test out the concept on traffic offenses, looking for offending vehicles, but assuming there are no issues, this will be rolled out to include a facial recognition database of wanted characters from the Gulf capital.
This is complicated by the fact that Google does not allow the spreading of facial recognition software in a policy dating back to last year. But this won’t stop developers sideloading such software, thus bypassing the Google privacy test.
$1,500 – the retail cost of Google Glass in the US – may seem a lot to pay out for every office in the scheme, but Dubai’s police force has shown itself not afraid to shell out for expensive extras. Last year, the country stated it would be supplying the police force with $400,000 Lamborghini sports cars.
Author Alan Martin, ESET