Cracking down on crooks, a new trick for infecting payment card readers and vulnerable Google apps
Welcome to Cyber Security Today. It’s Friday December 4th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
The struggle to find ways of allowing public communication apps to be encrypted but still give law enforcement agencies access to possible criminal content continues. This week the Council of the European Union recommended its members countries keep trying to find ways to bridge the seemingly impossible divide. Police say they need some sort of access to encrypted text or email messages to fight crime and espionage. Privacy experts say it can’t be done by forcing developers to install backdoors into software. Inevitably bad guys will find a way to use those backdoors, too, they argue. The Council is in the middle: It supports strong encryption, while agreeing competent authorities in security and justice should have some ability to access relevant data. The EU should work with the U.S., the United Kingdom, Canada and others to find a solution, it says.
Meanwhile this week Australia proposed a law that would give federal police and the national Criminal Intelligence Commission to ability to get court-approved special powers. One is the right to disrupt data communications, another gives the power to collect intelligence from user devices, devices that data goes through or that holds information, and the third would allow authorities to take control of a suspect’s online account. Accessing any seized data would require separate judicial approval.
Madison, Wisconsin has become the latest American municipality to forbid its police and other departments from using facial recognition technology. Other U.S. cities with bans include Boston, San Francisco, Oakland, Portland.
I’ve warned before about the dangers of swiping credit and debit cards down the side at payment machines. People do it out of habit, or because they don’t have newer cards with security chips allowing them to tap or securely insert cards in the bottom of the reader. Swiping is bad because it reads the vulnerable personal data on the black stripe on the cards’ back. Crooks have been able for years to infect card readers to capture that data. The latest criminal attempt to infect card readers was described this week in a report from a Dutch security vendor called Sansec: Infecting files in the logo images of familiar brands like Google, Facebook, Twitter, Instagram and Pinterest. These images would be included as software buttons in messages. The idea is security software protecting the card readers would miss the buttons. So far Sansec has seen a couple of examples. It isn’t known yet if this was the first of a widespread attempt to infect card readers.
Finally, for some reason some Android app developers have been slow to upgrade their software with the latest security updates. Check Point Software reported this week that a bunch of apps in the Google Play store still hadn’t updated their software to run a patched version of Google Play’s Core Library. For those who don’t know, software contains libraries of code. Often these are commonly-distributed free or low-cost libraries that save developers time from writing code themselves. This version plugged a hole that could allow an app to be hacked, stealing anything from login passwords to you bank or corporate data. The fix was release in April. Why companies — including big ones — have been so slow to patch their apps isn’t clear.
Before naming the companies Check Point warned them this report was coming. Some got the message.
Later this afternoon the Week In Review podcast will be released with a discussion about the ethics of naming and shaming companies and their cyber vulnerabilities. Listen on your way home or on the weekend.
That’s it for Cyber Security Today. Links to details about these stories are in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.