Equifax's malvertising scare, Chromebook TPM RSA key panic, Cuban embassy sonic weapon heard at last – and more

Roundup We almost wanted to feel sorry for Equifax, were it not for the fact that the credit biz takes to IT security like a duck to an acid bath. After a brutal few weeks under the spotlight, on Wednesday night it suffered another hacking scare.

When's it going to end?

Visitors to one of Equifax's customer support webpages couldn't help but notice they were being redirected to a dodgy site telling them to download and install Adobe Flash to proceed. The program on offer was actually Windows malware dubbed Eorezo that forces adverts to appear in Internet Explorer, thus Equifax's site was effecting telling people to infect themselves with adware.

Had Equifax been hacked again to inject these downloads? No, not quite. A third-party analytics provider, which measures and reports the performance of sites, was being used by Equifax – and it was this vendor that had been pwned, it seems. Miscreants changed its JavaScript served via Equifax's site to redirect visitors to the malware download screen.

And Equifax wasn't alone. Another US credit rating agency, TransUnion, was also using the same third-party vendor and also threw up fake Flash installation prompts on its online home. After the last few weeks, you'd think these agencies would be on high alert, but it seems not. Equifax said it has disabled the offending support page.

Meanwhile, the US taxmen are having a rethink about awarding Equifax a $7m identity verification contract.

T-Mobile US's inadvertent telephone lookup

While we're on the subject of website cockups, T-Mobile US, America's scrappy cellphone network upstart, had some problems of its own.

A security researcher at Secure7 was noodling around on T-Mob's website and, after logging in, spotted what looked like an exploitable backend API call. By switching up some of the parameters in the GET request, and supplying a stranger's valid T-Mobile US number, he could pull up their account details, such as their email address and handset's unique IMEI number.

Obviously, that's quite a big deal for things like identity theft, social engineering customer support desks, stalking, and so on, so he got in touch with the cell network. Thankfully, T-Mobile US was quick on its toes and the issue was fixed within 24 hours of being reported – however, it is claimed black hats knew about this flaw for a while and were exploiting it. T-Mob denies anyone used the API to slurp strangers' information.

Beware geeks bearing gifts

Last week Google had a big press event in San Francisco to introduce its latest hardware it wants to get into your homes. As the assembled hacks left the venue Google handed over one of the devices, a Home Mini, as a gift to each hack.

Ours was passed along to our reviewer of such things, and Kieran is working on the review now. But this week it emerged that some of the devices had a troubling flaw. Instead of waking up and listening for a voice command when the user either touched the device's buttons or said "OK Google," the device was switching itself on automatically all the time and recording everything that it could hear.

Thankfully this wasn't a dastardly plan by the Chocolate Factory to spy on journalists, or so we're told, just a flaw in the early Home Mini models. A firmware upgrade has now been pushed out to permanently disable the activation button to stop the gizmos from snooping 24/7.

ChromeOS TPM security scare

Usually ChromeOS is one of the toughest systems out there to crack, but there was a kerfuffle this week when it emerged that Chromebooks could have been generating weak and potentially crackable RSA crypto keys.

The problem wasn't Google's but stemmed from a cockup by Infineon, which makes the Trusted Platform Module (TPM) hardware used by ChromeOS, Windows, and other operating systems to generate RSA encryption keys. When Microsoft released its monthly patching bundle, it addressed the TPM vulnerability by switching to software algorithms to craft and regenerate stronger RSA key pairs.

Any attack against the keys is likely theoretical at best – you'd need to put a lot of computing grunt into the job to break cryptography relying on the dodgy keys. A simple update from Google addresses the issue on ChromeOS and Chromebooks, but that still leaves the rather unsettling thought that there are a lot of poor keys out there, generated on countless machines fitted with Infineon's TPM chips. If you use the affected silicon, grab a firmware update from Infineon.

Bronze Butler targets Japan

No, this one's not a Marvel reboot of the Silver Samurai but an advanced hacking attack against Japanese industry by what is thought to be Chinese hackers.

Dell's Secureworks security team spotted the attacks against Japanese critical infrastructure, heavy industry, manufacturing, and international relations organizations with the aim of stealing intellectual property. They started with a highly targeted phishing campaign that used both custom-built malware and some off-the-shelf products.

According to the report, this bears all the hallmarks of a state-sponsored espionage job. The malware wasn't going after money, deleted itself where possible, but also had a persistence element so that it could check to see if there was something new worth stealing. Government servers around the world possibly harbor similar code.

This sound may break your brain

Last month, after weeks of rumors, the US pulled all but emergency staff from its newly-opened embassy in Cuba, claiming a sonic weapon was being used against them.

The details of the weapons weren't released but the effects were. The US and Canadians said that staff had suffered ear complaints, hearing loss, dizziness, headache, fatigue, cognitive issues, and difficulty sleeping. Now you can hear the sound that harms yourself...

Youtube Video

Sonic weapons are certainly a thing – they are used in the US for riot control, but this case is unusually creepy. We'll keep an eye on this as it develops.

Pokémon Goski

Finally, we have an almost unbelievable tale of claims about Russian involvement in last year's US presidential election involving the game of choice for the self-involved, Pokémon Go.

The network claims that players of the game were encouraged with the promise of Amazon gift cards to make Pokémon political and to try and link it to the Black Lives Matter movement via a group called Don't Shoot Us.

It now appears that the group was set up as part of a misinformation campaign to get people riled up before the election, but there's no evidence it worked – apart from the current occupant of the White House as half the country seems to think. ®