‘I look forward to hiring the 14-year-old who found the FaceTime bug’

Top infosec trends in the social media spotlight this week

Tech industry headlines were this week dominated by news of a serious bug in Apple’s FaceTime video calling platform.

The software flaw, first documented by 9to5Mac, allowed a user to call anyone on FaceTime and immediately hear audio coming from their phone – before they had even accepted or rejected the incoming call.

Reports of the unintended privacy-busting feature quickly filtered through social media and news outlets around the world. It was subsequently revealed that the glitch was discovered by a 14-year-old boy from Arizona.

While Apple was quick to disable FaceTime Group calls as it worked on a fix, the incident has once again raised questions surrounding the tech giant’s vulnerability disclosure policy:

Such was the apparent outrage at Apple’s oversight that New York state Attorney General Letitia James has launched an investigation into the company’s handling of the FaceTime bug.

A US lawyer has also joined the fray by filing a lawsuit (PDF) against the tech firm. Houston attorney Larry Williams claims the bug allowed someone to listen in on a private meeting.

For some security specialists, the response to Apple’s FaceTime glitch has been a little OTT:

A patch for the bug will be released next week, Apple said today.

In Asia, the Japanese government has passed a new law to allow state-sanctioned hackers to probe citizens’ internet of things (IoT) devices as part of an effort to improve the nation’s cybersecurity ahead of the 2020 Summer Olympics in Tokyo.

According to a report from the country’s national broadcaster, NHK, the legislation will pave the way for government white hats to “randomly break into about 200 million devices, such as routers and webcams”.

The exercise will be conducted by Japan’s National Institute of Information and Communications Technology, which reportedly found that IoT devices were leveraged in more than 50% of cyber-attacks detected in 2017.

Commenting on the new legislation in a blog post earlier this week, Ashish Gupta, CEO of Bugcrowd, welcomed the “bold” move.

“Having a robust and proactive security posture is critical in today’s climate,” he said. “It’s why vulnerability disclosure is becoming best practice, and even a requirement in some industries.

“More companies and government agencies are adopting proactive approaches to security. And while Japan’s approach is radical, their goal to “increase the safety and security of people’s devices” is something we can all understand and appreciate.”

In legal news, a US judge has rejected Yahoo’s proposed data breach settlement with millions of users, saying the company’s refusal to disclose the total amount to be paid was insufficient.

In a 24-page ruling (PDF), Judge Lucy Koh said: “The proposed notice does not disclose the costs of credit monitoring services or costs for class notice and settlement administration, and does not disclose the total size of the settlement fund.

“Without knowing the total size of the settlement fund, class members cannot assess the reasonableness of the settlement.”

The denial means the parties will now be required to consider new terms.

In search of some weekend viewing? An interesting mini documentary surfaced on YouTube this week that traces the rise and fall of LimeWire – the notorious p2p file sharing client.

The documentary is bursting with mid-2000s tech nostalgia, as Matt Castro takes viewers on a whirlwind journey of illegal downloads, high-profile lawsuits, and, of course, malware – lots and lots of malware.

At its peak, LimeWire had more than 50 million users downloading music, movies, and software on a monthly basis. And according to NPD Group, the file-sharing program was at one point responsible for 80% of all music illegally downloaded in the US.

It’s perhaps no surprise that the service was forced to close its operations for good in 2010, settling out of court with the Recording Industry Association of America for a massive $105 million.

Reflecting on the lasting impact of the now-iconic p2p client, Castro said: “During the time of LimeWire, millions of files were being illegally downloaded on a daily basis. And with it came the evolution of the entertainment industry as we know it.”

A lively discussion of the file-sharing networks of yesteryear took place on Reddit this week.

“I remember the moment I realized I could use Limewire to download Limewire Pro,” one user said. “Felt like a 1337 haxor.”