Security News This Week: A Deluge of Mega-Breaches Dumps on the Dark Web
You may have been enjoying your Memorial Day holiday and celebrating the start of summer this week. But the Internet’s nasty elements and incursions on your privacy don’t take vacations.
A megabreach of MySpace served as a reminder that even services you’ve forgotten about may hold your private data and leave it vulnerable— and that was just one of a string of data dumps offered by a single shady dark web data dealer. Yahoo became the first company to reveal it had received National Security Letters without having to duke it out with the government in court. Facebook introduced a new method of showing ads across the web that calls for some tweaks to your privacy preferences. Google’s Android security team are trainingintelligent computers to help in the fight against malware. Speaking of the fight against malware, we explained what “fuzzing” is and why it matters. We introduced you to a Romanian hacker who is using his skills for good, not evil. Security researchers showed that five of the most popular computer makers leave their machines open to malicious updates from hackers. And another team of researchers proved that it’s possible to hide a hackable backdoor in a processor that consists of only one single, microscopic component out of a billion.
But—unfortunately—there was more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Myspace, it seems, was only this week’s first reminder of the dangers of stale, insecure data. Collections of millions of stolen passwords from Tumblr—taken in a 2013 compromise of the site—and the dating site Fling also showed up in dark web data sales. In fact, the MySpace, Tumblr and Fling data was all offered for sale by the same data broker, someone going by the name peace_of_mind, who last week put up for sale the fruits of a giant, if outdated, breach from a 2012 hack of LinkedIn. In total, the collection of breached passwords for sale has now risen to 642 million—not a number the information security industry can be proud of. All of that should serve as a reminder of account security basics: User two-factor authentication whenever possible to protect your online accounts, choose strong passwords that can’t easily be cracked if they’re breached in a cryptographically “hashed” form, and don’t reuse passwords between services.
Just when the week of megabreaches seemed at an end, breach-monitoring service Leaked Source discovered an apparently hacked collection of as many as 127 million accounts, including hashed passwords, from the UK-based social networking service Badoo. Badoo, however, denies having been hacked, and the source of the megabreach remains unconfirmed for now.
The FBI is building a mega-collection of Americans’ biometric information, from DNA profiles to facial recognition data. And perhaps unsurprisingly for a project with such privacy invasive potential, the bureau wants to exempt that database from a key privacy regulation. In early May, the FBI filed a proposal to create an exemption in the Privacy Act for its so-called Next Generation Identification System, a collection it’s building of biometric data from more than 70 million criminal records and 38.5 civil ones, including state motor vehicles departments, visa applications and welfare screenings. That exemption would free the FBI from the Privacy Act’s requirement that federal agencies share the data collected about individuals with them and give them a legal right to determine its accuracy. A group of 45 civil society groups issued an open letter opposing the move, including the ACLU, the Electronic Frontier Foundation, Amnesty International and even Lyft and Uber.
When the drug market Sheep Marketplace went offline in 2013, it told people that it had been hacked by one of the site’s users and its entire cache of bitcoins stolen. The site’s users mostly assumed that Sheep’s own administrators must have run off with their coins instead, a so-called “exit scam.” But now a forfeiture agreement in a Florida criminal case reveals that two men, 24-year-olds Nathan Gibson and Sean Mackert, did in fact hack Sheep Marketplace and made off with 5,400 bitcoins worth close to $6.6 million at the time, which have now been seized by law enforcement. Mackert and Gibson allegedly made a rookie mistake that led Department of Homeland Security investigators to their doors: they apparently forgot that bitcoin is far from anonymous by default. By taking their stolen coins directly from Sheep to the bitcoin service Coinbase, the DHS investigators were able to track the heist in bitcoin’s public ledger known as the blockchain and subpoena Coinbase for their identities.
Iran’s theocratic government, like that of so many other repressive regimes, remains locked in a cat-and-mouse struggle with the country’s online population who seek to circumvent its draconian control of the Internet. Now the country has made a drastic move in that battle for digital control: It’s required all social media services with Iranian users to host their servers within the country’s borders. That stricture would make it far easier for Iran to censor and surveil services like Telegram, which is used by close to a quarter of all Iranians. The country is giving those services a year to comply. Those that don’t will no doubt end up on the country’s list of banned services, which already includes Twitter, Facebook and YouTube.
The bad news: Researchers have found a “several versions” of malware that closely resembles Stuxnet, the “digital weapon” that attacked an Iranian nuclear facility several years ago. The slightly better news? It only works within a simulated Siemens control system environment, and it’s been given a cool-sounding name: Irongate. Like Stuxnet, Irongate focuses on a single, specific control system process. And similarly to how Stuxnet avoided antivirus detection, Irongate can evade being spotted in sandbox environments. It doesn’t pose any kind of specific threat—the key word is “simulated”—but it’s at least a reminder that Stuxnet wasn’t a one-off, and defenses against something else like it still aren’t up to snuff.