Your daily round-up of some of the other security stories in the news
Google patches DirtyCOW flaw
Android users have finally had the DirtyCOW vulnerability that we wrote about in October patched, several weeks after the flaw was patched in the Linux kernel and in various Linux distros.
Google’s latest security bulletin, posted earlier this week, posted 50 patches, of which 11 were critical; DirtyCOW was one of those critical patches.
The catch, however, is that Google’s patch only covers Google’s devices, which, according to its security bulletin of earlier this week, are the Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player and Google’s newest phones, the Pixel and Pixel XL. The only other vendor to have pushed out a patch to fix the DirtyCOW vulnerability is Samsung, and it didn’t say which devices its patch covered.
Google also pushed the patch out to the Android Open Source Project (AOSP), which covers the non-proprietary core of Android, including the OS kernel itself, where the DirtyCOW hole was found. From the AOSP codebase, it’s up to individual vendors and carriers to work the patch into their codebases and push out updates.
Android is much loved by the geek community, but DirtyCOW flags up the problem of having multiple flavours of the OS on multiple devices made by multiple vendors: it’s unlikely your device will ever be entirely up to date with patches unless you’ve got one of Google’s own devices that’s still on the supported-with-updates list.
Naked lack of security
When you go through an airport, do you submit gracefully to the scanner or do you ask for a pat-down?
While many might object to the scanner on the grounds that they’d rather not have the quasi-nude outline of their body flashed up on to screens in front of airport staff, Matthias Kirschner, president of the Free Software Foundation Europe, took issue with the scan because he couldn’t feel confident that the scans taken would be stored securely.
Writing on his blog, Kirschner details the conversation he had with security staff at Berlin’s Schönefeld airport: “I told him that I do not trust what data of my body shape is saved and where it is stored … I also told him that what they see on their screens and what is saved on the disk can be different things, and that just because they cannot access files from before does not mean they are not stored.”
Kirschner has a point: airports need to be clear about how that data is stored and who has access to it.
And airports also should not put passengers who decline the scanner in favour of a manual pat-down through the much longer search Kirschner was then subjected to: he had to unpack his bags for a further check after his pat-down, and after he’d packed his bags again, his belongings were then checked for traces of explosive.
Pyongyang ‘hacked South Korea’
South Korea said yesterday that its cyber command had had its intranet server hacked and infected with malware and that documents had been stolen, and pointed the finger at North Korea.
“It seems the intranet server of the cyber command has been contaminated with malware. We found that some military documents, including confidential information, have been hacked,” Seoul said.
This is the first time South Korea’s cyber command, set up in 2010, has been hacked, but North Korea is thought to have been behind many other cyberattacks on its neighbour to the south. Pyongyang has always denied cyberattacking South Korea, but the isolated nation has thousands of cyberattackers at its disposal.
Earlier this year Seoul claimed that North Korea had hacked into the smartphones of officials to steal information.