Google rolls out Titan keys to Europe, Japan. Plus: Group Policy bug is a feature, not a flaw, says Microsoft

Roundup It’s once again time for a security news summary. Let’s get to it.

Student accused of hacking crimes cleared… to attend Swiss hackathon

A college student from Zimbabwe who was hit with eight criminal hacking counts will still get to represent his school at a UN hackathon.

Tatenda Christopher Chinyamakobvu was able to convince a judge to loosen his bail conditions after he was selected to attend the #Hack4SmartSustainableCities event in Switzerland.

Chinyamakobvu was one of a trio of students from Chinhoyi University of Technology who won a local coding contest by developing an application to help first-responders spot and assess the seriousness of emergency reports.

When he wasn’t winning hackathons, however, authorities believe Chinyamakobvu was up to less-than-legal actions, breaking into a university records system in order to change his and other students’ grades.

North Korea’s “Hidden Cobra” group surfaces again

The notorious North Korean hacking operation known as “Hidden Cobra” is active once again.

US-Cert says the group, best known for targeting financial institutions as a way to get around economic sanctions against the Norks, is using an updated version of its “Hoplight” malware to infect targets.

Cash of the Titans: Google offers keys for sale internationally

Good news for Brits who have been coveting a new Titan security key. Google says it will be selling the USB-C version of the plug-in security key in the UK and seven other countries: Austria, Canada, France, Germany, Italy, Japan, Spain, and Switzerland.

While users in those countries could already get the USB-A and Bluetooth versions of the keys, the USB model had not been available. Just remember to read the instructions – if you use it on your phone you will need GPS enabled, as one Reg hack found after a frustrating couple of hours.

HackerOne discloses security hole in… HackerOne

Bug disclosure service HackerOne was in the rare position of publicizing one of its own security holes this week after a researcher discovered a flaw that was exposing some user email addresses.

A researcher using the handle msdian7 was given an $8,500 payout for discovering and reporting how an attacker could game the project invite feature on the site to view the hidden email addresses of other users. The flaw was traced back to a missing access control rule in HackerOne’s new GraphQL system.

Tenable says Microsoft won’t fix Group Policy bug

Security firm Tenable has gone public after Microsoft declined to patch a security issue in Windows.

Tenable says the flaw is in the Group Policy administration tool. An attacker who already had access could elevate their privileges using a customized profile file. This would allow the attacker to do things that would normally be limited by Group Policy settings.

“Bypassing User Group Policy is not the end of the world, but it’s also not something that should be allowed and depending on User Group Policy setup, could result in unfortunate security scenarios,” notes Tenable’s David Wells.

Microsoft, however, does not consider the bug serious, as the profiles are working as intended. Rather, admins should limit user access to those files.

That’s a SlickWrap

A company that makes custom wrap decals for consumer electronics is getting roasted for its shoddy website security.

White-hat researcher Lynx tipped off The Register to this scathing analysis he wrote of the SlickWrap site and its security failings. The infosec bod found found, among other things, exposed customer info and emails from the company, as well as all of its support communications.

On top of that, the biz was said to have completely ignored the security warnings, and was accused of trying to cover evidence of the data exposure. SlickWrap didn’t get back to us.

Adobe AfterEffects gets patch

Adobe AfterEffects has received a security update to address an arbitrary code execution flaw. While this isn’t a particularly dangerous flaw (unless you constantly open untrusted AfterEffects files), it is worth getting patched if you rely on the video editing tool.

Dutch student cuffed for malware

Dutch publication NOS has the story of a 21 year-old student from Utrecht who was arrested and charged with creating trojan tools for other malware writers.

From the sound of it, the student was offering tools that let malware be placed within Word or Excel file macros. He faces at least a year behind bars.

In brief… The Romanian masterminds behind the Bayrob malware that infected thousands of Windows PC to steal millions of dollars have been sentenced… A so-called stalkerware app called KidsGuard for keeping tabs on children, and others, left its backend database open to the world to find… Watch out if you use the public link option for your WhatsApp group chats: Google and others can index them.

Tech investigator denied US visa

The head of an investigation company that develops technology for media outlets and investigators says he is being barred from the US.

Forensic Architecture boss Eyal Weizman said his visa to enter the US has been revoked because he was apparently linked to a threat to national security. The New York Times reported: “He said that the embassy official had told him that the threat that surfaced could be related to something he was involved in, people he had been in contact with, places he had visited, hotels at which he had stayed, or a pattern of relations among those.”

Man charged for political DDoS attacks

A California bloke was charged with launching a series of distributed-denial-of-service attacks against a candidate running in the Democratic primary against would-be Representative Katie Hill (D-CA).

The FBI believes that Arthur Dam, who was listed as a consultant for Hill, deliberately timed the DDoS attacks to take down the rival’s website at critical times during the race. Hill would narrowly win the primary and go on to win the seat. She has since resigned, for an unrelated sex scandal. ®

Sponsored: Detecting cyber attacks as a small to medium business