Security News This Week: Cryptocurrency Company Hacks Itself Before Hackers Can Hack It

Apple's Worldwide Developers Conference kicked off the week, bringing with it some interesting security enhancements for iOS and macOS users. The company will start offering its own single sign-on option, competing with Google and Facebook but with enhancements those two currently don't offer. And it rejiggered its Find My feature using some very clever cryptography. On the other hand, the company only just now got around to patching a 20-year-old modem bug, and noted macOS hacker Patrick Wardle dropped yet another zero day vulnerability. There's more than just Apple news of course, even though it sometimes doesn't feel like it. The 2020 election feels far away, but there's still not enough time to make sure the vote is secure. Russia …

Another Mac Bug Lets Hackers Invisibly Click Security Prompts

Two hours into his keynote at Apple’s Worldwide Developer's Conference last June, senior vice president Craig Federighi revealed a new privacy feature in MacOS Mojave that forces applications to ask the user if they want to "allow" or "deny" any request to access sensitive components and data, including the camera or microphone, messages, and browsing history. The audience dutifully applauded. But when ex-NSA security researcher Patrick Wardle watched that keynote at his home in Maui a few months later, he had a more dubious reaction. Over the previous year, he had uncovered a way for malware to invisibly click through those prompts, rendering them almost worthless as a security safeguard—not once, but twice. After Wardle had revealed the bugs that …

Google Has Stored Some Passwords in Plaintext Since 2005

It happened again: Google announced today that it's the latest tech giant to have accidentally stored user passwords unprotected in plaintext. G Suite users, pay attention. Google says that the bug affected "a small percentage of G Suite users," meaning it does not impact individual consumer accounts, but does affect some business and corporate accounts, which have their own risks and sensitivities. The company typically stores passwords on its servers in a cryptographically scrambled state known as a hash. But a bug in G Suite's password recovery feature for administrators caused unprotected passwords to be stored in the infrastructure of a control panel, called the admin console. Google has disabled the features that contained the bug. Before it did so, …

Mueller Report Fallout Pressures Democrats to Impeach Trump

Democrats in Washington found themselves Friday confronting an unwelcome surprise conclusion following the release of the final report by special counsel Robert Mueller: Maybe we should impeach President Trump after all. Ever since taking back the House of Representatives in January, Democratic leaders have carefully modulated the demands for impeachment from their activist base. First, they stressed the need to wait for the outcome of Mueller’s probe into Russian interference in the 2016 election. Last month, House speaker Nancy Pelosi splashed cold water on the idea of impeachment, telling The Washington Post’s Joe Heim, “Impeachment is so divisive to the country that unless there’s something so compelling and overwhelming and bipartisan, I don’t think we should go down that path, …

Huawei’s Problem Isn’t Chinese Backdoors. It’s Buggy Software

A report on Thursday from a British government oversight group found that Chinese telecom-equipment maker Huawei has basic but deeply problematic flaws in its product code that create security risks. The shortcomings, many of which Huawei had previously promised to improve, stem from issues with its software development processes, according to the report. The findings come amid a concerted Trump administration effort to ban Huawei products around the world (particularly in 5G wireless networks), because of concerns that Huawei devices are controlled by the Chinese government or that Huawei would take orders from Beijing to undermine its security protections if asked. Though the geopolitical discourse has gotten heated, the report concluded that the flaws in Huawei's code are related to …

Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can easily be discovered. The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found more than 90 companies with publicly accessible …