Top infosec trends in the social media spotlight this week
A hack that exposed the data of hundreds of German politicians dominated headlines this week, as a 20-year-old German man was arrested.
The suspect allegedly published the personal details of German officials, including Chancellor Angela Merkel, along with numerous journalists and celebrities, via Twitter.
The Twitter user – who referred to themselves as ‘G0d’ – released the private data in batches akin to an advent calendar in the lead-up to the new year.
The campaign was only discovered this week, when federal police officers became involved and raided the home of the suspect.
In the days after reports broke, the Twitter account in question (@_0rbit) was suspended.
The only political party not targeted was the far-right Alternative for Germany (AfD), leading some to believe this was a politically-motivated attack, and possibly the work of a nation-state actor.
The hack ended up being the work of the unidentified young man, who accessed most of the data by obtaining credentials for social media and email accounts, as well as cloud services.
Also called into question by this week’s top news was the relationship between journalists, security researchers, and authorities.
After reports that journalists at German news organization t-online.de allegedly passed on information about the hacker to police, Motherboard reporter Joseph Cox slammed those in question.
“German journalists writing about the hacker that targeted politicians say they’ve passed info to authorities,” he wrote online.
“We rely on sources including criminals to tell a full story. You are not an arm of the state. This appears deeply unethical.”
The publication later issued a correction claiming that the information was already available to the authorities.
The website claims it attempted to verify the information with police, rather than passing it on to them directly.
An upcoming talk at Black Hat Asia was cancelled this week after the researcher’s employer demanded that he withdrew from the event.
Researcher Wish Wu was due to present at the conference, held in Singapore, in March.
His talk would demonstrate how Wu was able to crack Apple’s Face ID – a feature in recent iPhone and iPad models.
Wu claimed he was able to bypass the biometrics by using an image printed on standard paper.
However, he was only able to pull off the tricky hack under certain conditions using an iPhone X, and wasn’t able to do so for the iPhone XS of XS Max models.
This led his employer, Ant Financial, to cancel the “misleading” talk.
Wu told Reuters: “In order to ensure the credibility and maturity of the research results, we decided to cancel the speech.”
US company Zerodium announced it would offer up to $2 million in exchange for iOS zero-days this week, sparking an ethical debate online.
The “acquisition platform” said it was willing to pay the eye-watering figure for remote iOS jailbreaks, as well as offering up to $1m for remote code execution bugs in WhatsApp, iMessage, and SMS.
Zerodium is known to buy exploits and sell them on to clients. Though it isn’t known who buys these bugs, many have suspected that customers could be nation-state actors, to whom $2 million is just spare change.
A stark warning to anyone uploading their personal details online – check the recipient is who you think it is.
Developer Sumit Kumar posted a cautionary tale this week, after his friend gave away sensitive information to someone posing as a prospective landlord.
As is common in Germany, the unnamed friend uploaded his ID and two paychecks to secure what he thought was a legit rental opportunity.
But his dream home became a nightmare after the scam landlord used the documents to funnel the victim’s pay into their own account. Ouch.
Sharing sensitive documents online can be hard to avoid in a digital-driven world, so Kumar’s advice? Black out any sensitive details, even when dealing with companies you know are legit.
Finally, a Microsoft employee royally burned the Chicago Police Department this week after they claimed their Windows 7 machines were at the “cutting edge of technology”.