A Week in the News: Previewing Black Hat, DEF CON

In the news this week: more APT campaigns, a look forward at the DEF CON and Black Hat Hacker conferences, and good and bad news for Facebook.

Two of the world’s premier hacking and security conferences take place next week in Las Vegas, Nevada: Black Hat and DEF CON. In this week’s recap, we’ll look forward to those events but also back on the week’s news.

Hacker Conference Previewing

The Black Hat and DEF CON security conferences begin next week, so we’ll begin our weekly news recap by looking forward:

Briefings to look forward to include Kaspersky Lab security expert Vitaly Kamluk’s talk, in which he will revisit the Absolute Computrace vulnerability, which we wrote about during the Security Analysts Summit back in February.

Security researcher Joshua Drake will present on a tool he’s built that could revolutionize the study of Android security. The tool essentially clusters together as many different Android devices – each with it’s own slightly different propriety operating system – as he could find. In this way, he believes, security researchers will have a more complete view of the vast Android operating system. Another interesting Android briefing will be that of Bluebox Security’s Jeff Forristal, whose research suggests that there is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application, enabling an attacker to insert malicious code into legit apps or even wrest control of an affected device.

As for DEF CON, they’ll be hosting a router hacking contest at this year’s event. The router to be hacked is the SOHO Wi-Fi router. The rules are listed on the SOHOpelessly Broken website. Contestants must identify and demonstrate their zero-day exploit during DEF CON. Prizes will be awarded, but we aren’t sure what they are yet.

Trouble for the World’s Largest Social Network

Back to the news that’s already happened: Facebook had its good and bad this week.

First, on Monday, a conglomeration of privacy advocates in the U.S. and Europe requested that Facebook be made to hold off on the implementation of its new targeted advertisement policy. In the past, Facebook’s advertisements were based almost entirely on the pages its users liked. Last month, the social network made a puzzling announcement, saying they would give users more control over the ads they see while also beginning to collect information about their users’ broader Web-surfing behavior.

The groups that issued the complaint to the FTC are hoping to delay or altogether stop Facebook’s move toward mining information from users outside Facebook’s domain. The groups are saying that Facebook’s program “directly contradicts its previous statements” about privacy and user tracking and that the network misled users last month when it said they would be able to control which ads they would see.

The attack was so serious the organization is being forced to rebuild its entire system.

The next day, per Threatpost, Facebook fixed a vulnerability in its Android app that could have allowed an attacker to cause a denial-of-service condition on a device or run up the victim’s mobile bill by transferring large amounts of data to and from the device. So, if you run Facebook on Android, make sure you install the latest update if you haven’t done so already.

It also turns out that the mobile version of Facebook’s wildly popular photo-sharing service Instagram doesn’t deploy full encryption. Because of this, users are at risk of exposing their browsing behavior and having their session cookies stolen, which could ultimately lead to account hijacks on both Android and iOS. Facebook and Instagram are aware of the issue and say they will fix the problem, but have not yet committed to a date for that fix. Read more at Threatpost and on the Kaspersky Daily.

Advanced Persistent Threats

It also emerged this week that Chinese advanced persistent threat (APT) hackers set their sights on defense contractors involved in the development of Israel’s notorious “Iron Dome” missile defense system. They reportedly stole detailed schematics for a particular type of anti-ballistic missile, information about rockets, and pages upon pages of other mechanical documents from a trio of Israeli defense contractors between 2011 and 2012.

Another allegedly Chinese APT group hacked into one of Canada’s premier research and technology organizations, forcing them offline. Threatpost’s Chris Brook writes that the attack was so serious that the organization is being forced to rebuild its entire system. Canada is not yet saying when the attack took place nor is it divulging what was taken.

In Other News

Senator Patrick Leahy (D-VT) introduced a bill that aims to curtail NSA surveillance power by ending the bulk collection of metadata and placing more oversight on the Foreign Intelligence Surveillance Court. WhisperSystems released Signal, an iPhone app that will let users make free encrypted phone calls. Last but not least, for a little more than six months, attackers were on the Tor network trying to de-anonymize users who operate or use Tor hidden services.