At a glance.
- QR codes and privacy risks.
- More spyware news.
- Updates on the Twitch hacktivist incident.
The security risks of QR codes.
The Washington Post investigates the security risks surrounding QR codes, those funny black and white blocks that, when scanned by a phone, open a corresponding link. Though not inherently dangerous, “quick response” codes provide the consumer with a shortcut to the retailer’s website, which can then collect valuable consumer data for marketing or advertising purposes with or without user knowledge. It’s also worth noting that some attackers can embed QR codes with malicious code in order to launch a malware or “quishing” attack, and apps marketing themselves as “QR scanners” are not only unnecessary (your phone’s built-in reader is more than sufficient), but could also distribute malware.
Spyware: Donot Team and Pegasus, again.
Amnesty International reports that a Togolese activist was targeted with spyware connected to the Donot Team threat group. Though unsuccessful, the cybercriminals attempted to use Android and Windows spyware to infiltrate the activist’s devices. As the Record by Recorded Future explains, the Donot Team is linked to attacks across Asia. Deputy Director of Amnesty Tech Danna Ingleton commented, “Across the world, cyber-mercenaries are unscrupulously cashing in on the unlawful surveillance of human rights defenders.”
In other spyware news, on the heels of the revelations of the Pegasus Project, Reuters reports that Israeli-based technology firm NSO Group has discontinued its contract with the United Arab Emirates. Evidence presented to England's High Court shows Dubai ruler Sheikh Mohammed bin Rashid al-Maktoum was caught using Pegasus spyware to snoop on his ex-wife and her associates. NSO explained, "Whenever a suspicion of a misuse arises, NSO investigates, NSO alerts, NSO terminates." The sheikh denies all allegations.
Updates on the Twitch incident.
As details concerning Twitch’s massive data leak continue to unfold, the popular streaming service has updated their blog, disclosing that they have reset all stream keys, or streamer credentials, “out of an abundance of caution.” Though details regarding exactly how the breach occurred are still unclear, CNET reports that in a tweet yesterday Twitch attributed the incident to a misconfiguration: "We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party."
Regardless of the cause, the leaked data, which include everything from infrastructure code to security scripts to streamer payouts, has the community reeling. Former Twitch security engineer Thomas Shadwell told Vice that the security data is outdated and therefore not actually sensitive. "The security-related code in the ‘infosec’ folder is code I wrote many years ago...The code itself was largely superseded by code which is maintained by Twitch's core engineering teams, rather than myself." Vice asserts that the streamer data is more damning, and users certainly agree. Though streamers’ subscriber counts, which are public, have always given users an impression of a streamer’s success, Wired points out the leaked details about top earners’ hefty salaries makes the monetary significance of that success more palpable. TechCrunch explains, not only does the breach prove that Twitch’s top earners make hundreds of thousands of dollars a month, but it also reveals the majority of those earners are men, especially damaging given that users have accused the platform of tweaking its algorithm to bury lesser-known streamers. Making matters worse, marginalized Twitch users have been recently plagued by harassment in “hate raids,” angering users who feel the company’s security model does little to protect them while giving top streamers a free pass. Ironically, Win.gg reports, while discussing a leaked list of streamers deemed unbannable due to their influence, political streamer “Destiny” was banned himself for revealing a leaked staff email address.
Jon Murchison, CEO of Blackpoint Cyber, points out that from Twitch's point of view loss of source code is the most serious outcome of the incident:
“The breach, if verified, contains sensitive financial data and source code information for one of the most widely used streaming platforms available. From an information security standpoint, source code and software development kits are the ‘Crown Jewels’ that you want to protect at all cost.
"This leak could result in adversaries uncovering critical vulnerabilities that could be weaponized for future use. While details are still scarce, this highlights the difficulty with securing distributed cloud and on-prem infrastructure. However, intrusions of this scale can be prevented with the proper security controls and sufficient security and IT monitoring.”