At a glance.
- John Deere closes app and website vulnerabilities.
- Researchers report AirDrop privacy issues.
- More industry reaction to the US Justice Department's anti-ransomware task force.
Doxing John Deere (as a proof-of-concept, anyway).
A security researcher, Vice reports, has found two bugs in John Deere apps and the company's website that permitted extraction of customers' personal data. The researcher (nom-de-hack "SickCodes") disclosed the problem to the farm equipment manufacturer on April 12th and 13th. The company had fixed both of them by this Wednesday, and neither appear to have been exploited in the wild. SickCodes told Vice he could obtain, for newer equipment, "the vehicle or equipment owner's name, their physical address, the equipment's unique ID, and its Vehicle Identification Number."
Researchers report privacy flaws in Apple AirDrop.
Security researchers at the Technische Universität Darmstadt have announced their discovery of a privacy flaw in Apple's AirDrop file-sharing product. The researchers say, "Apple users can share files with each other using AirDrop. But studies by TU researchers at the Department of Computer Science show that uninvited people can also tap into data. The research team developed a solution that could replace the flawed AirDrop. Apple has not yet closed the discovered privacy gap – the users of more than 1.5 billion Apple devices are still vulnerable." They say they disclosed the issue to Apple in May 2019, but that Cupertino has yet to fix it.
Naked Security has a good account of the issue, which is a complex one, and they offer some points of advice to people worried about using AirDrop:
- "Turn AirDrop off if you aren’t using it. That’s good security practice anyway. There’s no need to be discoverable to other AirDrop users all the time."
- "Don’t blindly fall back to Everyone mode if Contacts only mode keeps failing. If you’re in a private place with a sender you trust, it’s probably OK, but if you’re in a busy coffee shop or shopping mall, remember that Everyone mode opens you up to, well, everyone else around."
- "Be careful whom you connect to. The researchers relied on using obvious variants of the recipient’s device name, using a sort of “namesquatting” trick. If you can, get the recipient to show you their device name on-screen first so you don’t get suckered into picking a similar but bogus name."
More comment on the ransomware task force.
We've received more comment from industry on the US Justice Department's plans to establish an anti-ransomware task force.
Jeff Brown, CEO of Open Systems, puts the decision in the context of 2020's surge in ransomware attacks:
“The Justice Department this week announced the creation of a ransomware task force. This follows a year that the agency described as the worst ever for ransomware. The DoJ move – and reports indicating that ransomware has soared 62% since 2019 and that the average ransom payment increased by 60% between the first and second quarters of 2020 – illustrate the extreme risk that such cyberattacks pose for organizations today. This is all happening against a backdrop in which more people are working from home and an increasing number of business applications are moving to the cloud. The extended enterprise edge and growing cyberthreat highlight the need for complete, context-aware, zero-trust solutions.”
Tom Patterson, Chief Trust Officer at Unisys, thinks a multi-agency, public-private partnership represents a fundamentally sound approach to the problem:
“The Justice Department has an important role to play in the whole of nation defense against ransomware and other attacks. Ransomware is being launched with impunity from criminals around the world, and more needs to be done to change the economics of the attack— to make it more costly to attack than defend. Justice’s legal system has a wide range of capabilities at its disposal to add costs and consequences to those that choose to attack. The White House’s National Cyber Moonshot and Congress’ Cyber Solarium report have both recommended increasing the consequences for those that launch and support attacks, and the DoJ has a myriad of consequential arrows in its quiver that it can bring to bear. By creating this task force along with experts from national security, law enforcement, and the private sector, the department is approaching this critical problem the right way. Acting Deputy Attorney General John Carlin is perfectly situated to lead this new task force with his strong roots in both the department’s capabilities, and with the private sector that is under attack.”