Meltdown, Spectre, Malicious Apps, and More of This Week’s Security News

The fallout of the widespread Meltdown and Spectre processor vulnerabilities continued this week. WIRED took an in-depth look at the parallel sagas that caused four research teams to independently discover the bugs within months of each other.

Dozens of patches are now floating around to try to defend devices against attacks that might exploit the vulnerabilities, but a significant amount of time and resources has gone into vetting and installing the patches, because they slow processors down and generally take a toll on systems in some situations.

On Thursday, Congress re-authorized warrantless surveillance initiatives under Section 702 of the 2008 FISA Amendments Act, rejecting reform proposals and instead expanding the scope of the dragnet for six years. In other secret surveillance news, a report by Human Rights Watch details legal techniques law enforcement officials use to avoid revealing some of their sketchier investigative tools.

Skype is going to start offering end-to-end encryption as an opt-in feature, which will bring the protection to the service’s 300 million users (though the security industry likely won’t be able to vet whether Skype’s encryption implementation is actually robust). But researchers found a flaw in WhatsApp, which is end-to-end encrypted by default, that would allow an attacker to join a private group chat and manipulate the notifications about their entrance so group members aren’t necessarily aware that they are an interloper.

Protests in Iran continue to be forcibly opposed by the government on numerous fronts, including through initiatives to disrupt Iranians’ internet connections and access to communication platforms like Instagram and Telegram. Researchers have developed a technique for catching spy drones in the act by analyzing their radio signals, and mobile pop-up ads are on the rise. Oh, and the Russian hacking group Fancy Bear is apparently gearing up to target the 2018 Winter Olympics, so there’s that.

And also there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

###Google Removes 60 Malicious Apps Downloaded Millions of Times from the Official Play StoreGoogle removed 60 supposed gaming apps from the Google Play Store on Friday after new research revealed that the apps were laced with malware designed to show pornographic ads and get users to make bogus in-app purchases. The findings from the security firm Check Point indicate that users downloaded the tainted apps three to seven million times. The malware is known as “AdultSwine,” and also has a mechanism to try to trick users into downloading phony security apps so attackers can gain even deeper access to victims’ devices and data.

The malware campaign is problematic in general, but is particularly noteworthy because it targets apps that might appeal to children, like one called “Paw Puppy Run Subway Surf.” The situation fits into a larger pattern of malicious apps sneaking into the official Google Play Store. Google has been working for years on tactics to try to catch and screen out bad apps.

FBI Reinforces Anti-Encryption Stance

FBI Director Christopher Wray renewed controversy about encryption on Tuesday when he said at a New York cybersecurity conference that the data protection protocols are an “urgent public safety issue.” Wray noted that the FBI failed to crack 7,800 devices last year that would have aided investigations. Wray said that encryption bars the FBI from extracting data in more than half the devices it tries to access. Digital data protections, namely encryption, have caused longstanding controversy about the balance between the public safety necessity of law enforcement and the separate safety issues that emerge when an encryption protocol is undermined by a government backdoor or other workaround. Echoing Wray’s remarks, FBI forensic expert Stephen Flatley said at a different New York cybersecurity event on Wednesday that people at Apple are “jerks,” and “evil geniuses” for adding strong data protection mechanisms to their products.

###Apple Patches a Small, But Glaring Bug in macOSA new bug discovered in macOS High Sierra would allow an attacker to change your App Store system preferences without knowing your account password. That doesn’t get an attacker…all that much, and the bug only exists when a device is logged into the administrator account, but it’s another misstep on the ever-growing list of security gaffes in Apple’s most recent operating system release. A fix for the bug is coming in the next High Sierra release.

###US Customs and Boarder Patrol Updates Its Electronic Device Search Policy

The United States Customs and Border Protection agency updated 2009 guidelines last week to include new protocols for searching electronic devices at the border. CBP says it searched 19,051 devices in 2016 and 30,200 devices in 2017. The new documents lay out the difference between a Basic Search, in which agents can ask anyone to submit a device for local inspection (data stored in the operating system and local apps), and an Advanced Search, in which border agents can connect a device to a special CBP analysis system that scans it and can copy data off of it. The guidelines stipulate that agents can only do Advanced Searches when they have reasonable suspicion that an individual has participated in criminal activity or is a threat to national security in some way. CBP agents are limited to devices and can’t search an individual’s cloud data. Despite these and other limitations outlined in the procedures, privacy advocates note that these CBP assessments are still warrantless searches, and the new guidelines more specifically and extensively outline what agents can do in addition to describing boundaries.