It feels like all weeks in security news are overstuffed lately, and this one’s no exception. It started with a bang, or more of a blare, as all of Dallas’s dozens of tornado sirens were hacked to sound off at once. And it ended with a boom, as the US dropped the Moab (‘Mother of All Bombs,’ colloquially), a 22,600 pound bomb, for the first time. And plenty happened in between, too!
The FBI took down a Russian spam king and his massive botnet, so your inbox might have felt a little lighter this week. We talked to one of the best car hackers in the world about how hard it is (very) to secure autonomous taxis. We took a look at the bleak world of content moderation training. And just when you thought the Shadow Brokers were done, they dropped a mess of NSA secrets that show Microsoft vulnerabilities and the hacking of Middle Eastern bank systems.
Things were relatively quiet in Trump world, though not entirely. The FBI reportedly got a FISA warrant against Carter Page, but that doesn’t prove much beyond how much potential trouble Carter Page is in. And a conservative watchdog group is suing the EPA for access to messages they may have sent over Signal, but, uh, good luck with that.
And there’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Ugh, OurMine Hacks a Big Old YouTube Network
OurMine, the hackers who’d have you believe their hearts are made of gold, struck again this week, breaching thousands of YouTube accounts associated with a large media network, in what the group touts as “the biggest hack in YouTube history.” The hackers apparently got a access to the German media network Studio71, which hosts over 1,200 popular channels. This allowed them to change the title and description field in any Studio71-affiliated videos. On many of those videos, the group wrote this message: “#OurMine – Hey, it’s OurMine, don’t worry we are just testing your security, please contact us for more information.” This is so sort their schtick: hacking for a purpose. In OurMine’s case, the group claims it does what it does to educate you about your security. It’s a hard claim to believe, when OurMine has in the past done things like hack into a Sony Music Twitter account to spread the false rumor that Brittany Spears was dead. As YouTube star LiveEachDay, whose adorable videos of his toddler were breached, put it: “It’s honestly not a big hack.”
A never-before-seen attack used “booby-trapped” Microsoft Word documents to infect your machine with malware. This zero-day was first found by security researchers at McAfee, and is the latest of a bazillion reminders that you should not click on attachments in emails if they seem at all sketchy. Microsoft has now patched this attack, but while it was out there in the wild, it was pretty clever. Here’s how it worked: you download what looks like a regular old Word doc, but concealed in that doc code that connects to the attackers. Once connected, it downloads what looks like a Rich Text Format Word doc that’s actually malware, all the while covering its tracks by creating and opening a new Word Doc on your machine. As Ars Technica notes, unlike previous Microsoft Word exploits, this bug infected your machine even if you didn’t turn on macros. It was also pretty powerful against Windows 10, which people usually consider a very secure operating system. What’s that old saying about how “words can’t hurt you?” If they are embedded with malicious exploit can, turns out they can.
New research from Newcastle University appears to show that the way a phone tilts as you type could give away your PIN. Using a smartphone’s gyroscope, the researchers were able to guess a four-digit passcode with 70 percent accuracy on the first try, and with 100 percent accuracy within five attempts. While it’s a neat theoretical hack, it’s not the first time a phone’s sensors was used to these ends, and it would be extremely difficult for a hacker to target an individual with it.
Researchers from Israeli firm Argus say they’ve found a way to hack a car to dramatic effect, including stopping the vehicle’s engine while it’s in motion. The hack requires some specialized conditions; you need to connect a Bosch Drivelog OBD-II dongle to the car in question, to infect it with malware. It also needs a Bluetooth connection to work, which means proximity that’s hard to get near moving automobile. It’s technologically interesting, and could hypothetically cause actual damage, but it shouldn’t make you switch to pedicabs just yet.