Cybersecurity news headlines May 1-15, 2019

Cybersecurity news headlines May 1-15, 2019

In our first May edition of cybersecurity news headlines, there are three stories to report on. We discuss President Putin signing a law to disconnect Russia from the rest of the web; a Twitter bug exposing iOS users’ locations; and a WhatsApp vulnerability that allows attackers to infect devices with spyware by simply calling them.

Putin signs law to disconnect Russia from the web

According to Russian media, President Vladimir Putin has signed the legislation allowing the country’s internet to be disconnected from the wider web. The law will come into effect in November, and will aim to protect Russian internet and its services in case foreign aggressors try to cut off the country’s internet from the rest of the web. According to reports, a test of such a scenario has been carried out in the past. However, the likelihood of such an attack actually happening is slim.

In the event that Russia is disconnected from the web by foreign aggressors, Russia’s ISP will have to rely on Russia’s alternative domain system (DNS). Specialized equipment will need to be installed by ISP, and it will direct internet traffic via exchange points in Russia only. The required equipment is estimated to cost around 20.8 billion Russian rubles ($318 million), all of which will be covered by the state.

In addition to keeping Russian internet traffic in Russia, the new law will also allow Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media) to censor content much easier. While it had to have internet providers comply with its regulations in the past, Roskomnadzor would now be in charge of blocking banned content itself. In fact, some activist allege that easier censorship was the main goal. The Kremlin has denied such claims.

Twitter discloses bug that shared some iOS users’ location data

Social media giant Twitter has disclosed yet another bug, and this time it affects iOS app users. The company has admitted that they had been inadvertently collecting and sharing iOS location data with a third-party in certain circumstances.

According to Twitter, if users had used more than one account on Twitter for iOS, and one of the accounts had the precise location feature enabled, Twitter collected location data when users were using any of the other accounts, whether or not they had the feature enabled or not. The location information Twitter had accidentally collected had also been sent to Twitter’s partner “during an advertising process known as real-time bidding”. However, Twitter does note that the location data was no more precise than zip code or city (5km squared), so determining the exact location would not be possible.

The social media company claims that the third-party did not retain the information, and it has since been deleted. The bug has also been fixed, and affected users are being informed about the situation. Twitter also encourages its users to check that they are only sharing the data they want with them.

WhatsApp encourages users to update after alarming vulnerability discovery

An alarming WhatsApp vulnerability allowing attackers to inject spyware on iPhone and Android devices by simply calling them was discovered earlier this month. According to the Financial Times, an Israeli firm NSO Group, known for selling its spyware to governments, is responsible for the spyware.

Using the vulnerability in WhatsApp, attackers were able to transmit malicious code to the target’s device by simply calling it and infecting the call. The target did not need to answer the call for the spyware to be delivered, and any traces of the call would be deleted from the logs. If users did not notice the call when it was happening, the spyware could avoid detection for a while.

Because of the way it works, users could not have done anything to avoid the attack. It should be mentioned that while it’s unlikely that regular users have been affected by this, those who work in sensitive industries should be cautious. Reportedly, this method of attack was used on an attorney who is involved in a lawsuit against NSO.

An update was released soon after the vulnerability became known, and users are encouraged to install it if they have not already done so. They are also advised to update not only their apps but also devices as well.