In early February, the Swiss government issued a reward for hacking its new electronic voting system. In just one short month, Motherboard has reported that a group of researchers have found a critical flaw in the code that would allow someone to alter votes without detection – talk about the power of the bug bounty!
Hacking for good has driven the rapid rise of vulnerability disclosure and bug bounty programs and resulted in a radically safer and more trustworthy internet. That trust is critical for our election systems and democratic institutions, which will undoubtedly continue to be the target of bad actors as we approach our own 2020 election. This find is a great success for the Swiss program and should serve as a launching point to expand upon those findings to ensure other parts of the government are secure (we hope other countries are taking note too).
Also this week, ZDNet reported on dozens of major tech companies and corporate giants inadvertently leaking sensitive corporate and customer data through Box accounts because staff were sharing public links to files that can be easily discovered.
Permissions on document and file sharing services are a big risk today. But the issue is not specific to just Box – services like Dropbox, Google Drive and others all share the same inherent risk associated with file sharing. Despite what any company’s security team might say, people are still going to use these services because the collaboration capabilities and ease of use far outweigh any security fears for users.
TechCrunch covered a malware, dubbed SimBad, masquerading as an ad-serving platform that has infected more than 200 apps in Google Play, which would open a backdoor to install additional malware.
Ad and analytics frameworks get baked into mobile apps almost 100 percent of the time, but they install hooks and functions that are often never reviewed for security. As a developer, you need to find a solution to track usage and deliver ads to your users as part of your memorization model, so you have to do some cursory research to select a provider. Usually this is a third-party company, and the solution is to import a whole new set of code into your app to enable this provider.
In what might have taken over the web this week, BBC reported on a 14-hour outage for Facebook and Instagram, which is believed to be the biggest interruption ever suffered by the social network. Users quickly began blaming the outage on hackers launching a DDoS attack, however Facebook blamed the problem on a “server configuration change,” not a cyberattack.
In the third major tech outage of the week (see CNET), The Verge highlighted how iCloud also went down for several hours. The widespread problem impacted iCloud sign in, Backup, Calendar, Contacts, Mail, Keychain, iCloud Drive file storage, iWork, Photos, Notes, Reminders, Find My iPhone, and more, though there was no cause identified by Apple.
Many are speculating that the series of outages this week are related. While we can’t draw conclusions at this point, we definitely don’t like the coincidence.
We’ll keep a close eye for now, and more to come next week!