Fox News 'hacker' turns out to be journalist whose lawyers say was doing his job
Also, another fake iOS app slips into the store, un-cybersafe EV chargers leave UK shelves, and critical vulns
Infosec in brief A Florida journalist has been arrested and charged with breaking into protected computer systems in a case his lawyers say was less "hacking," more "good investigative journalism."
Tim Burke was arrested on Thursday and charged with one count of conspiracy, six counts of accessing a protected computer without authorization, and seven counts of intercepting or disclosing wire, oral or electronic communications for his supposed role in the theft of unedited video streams from Fox News.
Among the videos allegedly stolen from Fox by Burke were unaired antisemitic remarks by rapper Kanye West, and others. Burke accessed the footage using compromised credentials, and then altered recordings to mask their origin, the indictment claims.
Burke's lawyers countered the charges, asserting he engaged in no hacking and committed no crimes; he merely followed a link to the feeds without ever being asked to input any credentials.
"While we, like anyone else, condemn computer hacking, we emphatically insist that the facts of this case will demonstrate that there was, in fact, no hacking whatsoever," Burke's lawyers told the Tampa Bay Times. They further argued that publishing his findings is protected by the first amendment since Burke was acting as a journalist.
The Electronic Frontier Foundation (EFF) agrees, saying in a statement yesterday that it wants the US Justice Department to explain how what Burke did was an actual violation of the Computer Fraud and Abuse Act (CFAA), as the indictment alleges.
"The law remains vague, too often allowing prosecutors and private parties to claim that individuals knew or should have known what they were doing was unauthorized, even when no technical barrier prevented them from accessing a server or website," the EFF said.
What Burke did may be permissible under the Justice Department's decision not to prosecute good faith violations of the CFAA too, though as we noted in previous coverage if access was in any way unauthorized the good faith exception wouldn't apply.
Critical vulnerabilities of the week
There weren't that many to report this past week, aside from a few vulnerabilities in ICS products, which isn't exactly a shock – flaws in those things are everywhere.
- CVSS 9.8 – CVE-2023-21554: Several models of Mitsubishi electrical discharge machines are subject to a vulnerability in Microsoft Message Queueing services that could allow an attacker to tamper with devices, execute remote code and the like.
- CVSS-9.8 – Multiple CVEs: The Ethercat plugin for Zeek network security monitoring software contains OOB read/write vulnerabilities in GitHub commits d78dda6 and prior. This could be used to trigger RCE.
- CVSS 9.4 – Multiple CVEs: Commend WS203VICM video door stations running software versions 1.7 and prior are weakly encoding passwords, improperly controlling access and are vulnerable to argument injection.
Apple's app approval process fails again, leading to crypto theft
It's apparently faster for a scammer to create a spoof app and get it through Apple's App Store approval process than it is for legitimate devs nowadays, a case in point being what happened to Rabby Wallet this past week.
Rabby, a cryptocurrency wallet that's still undergoing App Store approval, had an impersonator make it into the App Store, with subsequent reports by a number of people who reported having their accounts emptied after installing the fake app. Rabby was forced to take to social media to say that a fake app was out there, and restating that the real Rabby Wallet is still under review.
- Feds post $15 million bounty for info on ALPHV/Blackcat ransomware crew
- Mon Dieu! Nearly half the French population have data nabbed in massive breach
- SBF likely off the hook for misplaced FTX funds after cops bust SIM swap ring
- Tesla hacks make big bank at Pwn2Own's first automotive-focused event
This is the second time this month that we've reported on fake iOS apps making it through the approval process and fooling iPhone users – not a great look for a supposedly safe, locked-down ecosystem like Apple's.
Just like in the previous case with LastPass, keep an eye on the developer name, reviews, and the like when downloading anything.
EV chargers pulled from UK shelves for not meeting cybersecurity requirements
The UK Office for Product Safety and Standards (OPSS) has told EV charger maker Wallbox to stop selling its Copper SB car chargers because they don't comply with UK cybersecurity laws, The Telegraph reported.
According to the outlet, the concern was over the possibility that Copper SB chargers, which can be controlled with a smartphone app, could potentially be exploited to turn them all on at the same time, causing a sudden drain on the power grid.
Wallbox was granted a temporary waiver to continue selling the products until June, at which time the devices will be taken off the market because Wallbox "cannot implement the Cybersecurity requirements in full on this product because of a hardware and operating system limitation," the company told [PDF] the OPSS.
We note, as did the Telegraph and Wallbox, that there's no evidence of a flaw in Copper SB hardware that could cause a grid stress attack – merely that the hardware can't be secured up to modern UK standards. ®
Biting the hand that feeds IT
