CrowdStrike mentioned in Trump–Zelensky transcript; ‘502 bad gateway’ error referenced in UK parliamentary proceedings; and privacy concerns raised over Dropbox Paper
Flip the script
This week saw different cybersecurity firms unwittingly thrown into the center of ongoing political maelstroms on either side of the Atlantic.
US President Donald Trump mentioned threat response and intel firm CrowdStrike during a call with Ukrainian President Volodymyr Zelensky in late July.
A transcript of the conversation was released this week by the White House as a reaction to a whistleblower complaint.
CrowdStrike was brought in by the Democratic National Committee (DNC) to investigate a breach on its systems in the run up to the 2016 presidential election.
During the call, President Trump is thought to have referenced what Bloomberg is calling a “bizarre conspiracy theory” that CrowdStrike may have helped the DNC fake the breach.
Trump asked Zelensky to “… find out what happened with this whole situation with Ukraine, they say CrowdStrike… I guess you have one of your wealthy people… The server, they say Ukraine has it.”
During the same call, Trump allegedly asked for help from Zelensky in making trouble for his political rival Joe Biden by investigating his son, Hunter.
The controversy has prompted Democratic lawmakers to take the first step in beginning impeachment proceedings against Trump.
“Trump has denied any wrongdoing and dismissed the proceeding as a ‘hoax’ and ‘another witch-hunt’,” writes the BBC.
CrowdStrike’s appearance as an extra, meanwhile, attracted plenty of comment on social media – much of it along the lines of there being no such thing as bad publicity.
For its part, the security firm has remained quiet.
A blog post by Rob Graham of Errata Security offers a CrowdStrike–Ukraine explainer, giving some much-needed context to the frankly confusing reference.
Hacker House in the HoC
Hacker House – one time employer of US extradition target Lauri Love – found itself the topic of questions in the UK’s House of Commons when it reconvened on Wednesday.
The firm was co-founded by Jennifer Arcuri, a “close personal friend” of Boris Johnson during the time the prime minister was mayor of London.
According to reports, Hacker House was awarded government grant worth £100,000 via a fund earmarked for UK businesses.
Questions were asked about the now PM’s role in securing the grant as well as whether or not the cybersecurity training firm is a UK business.
Acuri returned to the US last year, and press calls to the company this week were said to have been handled by US-based staff.
Matt Warnam, junior minister at the DCMS, repeatedly said that Johnson was not involved in the decision to offer Hacker House a grant.
Around half (£53,000) of the grant to Hacker House has been suspended pending a “review” by DCMS.
Matthew Hickey, co-founder of Hacker House, a firm that offers cybersecurity training and services, took to social media to defend the firm, which he essentially argued had become collateral damage during a Westminster firefight.
During questions on the topic, Labour party deputy leader Tom Watson pointed out that the site of Hacker House had dropped offline, leading to the first-ever reference to a “502 bad gateway” error in parliamentary proceedings.
Paper trail
Elsewhere, security engineer Koen Rouwhorst took to Twitter to draw attention to a ‘feature’ in Dropbox Paper that he said was leaking user information and was “just waiting to be abused”.
Dropbox Paper is the file hosting company’s collaborative document-editing service, similar to Google Docs.
According to Rouwhorst, if you share a Dropbox Paper document publicly, “any viewer can see the full name and email address of any Dropbox user who has ever opened the document”.
“It is trivial to crawl for public Dropbox Paper document URLs and harvest personal details of tens (or hundreds?) of thousands of Dropbox users,” he explained.
Dropbox responded to Rouwhorst’s concerns by stating that this was an intended feature of the service, and that users are given ample warning before accessing public documents.
Patch bonanza
In vulnerability news, there’s been a raft of out-of-band security updates from software giants including Microsoft, which this week rolled out an emergency patch to address a remote code execution (RCE) bug in Internet Explorer.
Adobe joined the fray by issuing an update to resolve a trio of bugs in ColdFusion – two of which were deemed critical.
And if that wasn’t enough, the developers of vBulletin published a set of patches to fix a critical vulnerability in the web forum software that was disclosed by an anonymous party earlier this week.
Dance like no one’s watching
And finally, it’s now been 24 years since the launch of Windows 95. To mark this momentous occasion, comedy writer Mike Camerlengo took a humorous deep dive into the on-stage antics of Messrs Gates, Ballmer & Co. (amp-audio required):
It later transpired that the footage may not have come from the Windows 95 launch event, but rather an internal sales meeting in a hotel back in the day.
However, with running commentary of the Microsoft executives’ spontaneous dance moves that includes the lines “half fist pump to air drum solo”, who cares?
Additional reporting by John Leyden.