Security News This Week: Clever Malware Is Sending People Fake Speeding Tickets
This week, the Apple-FBI legal fight finally, officially ended, as the feds at last found a way into San Bernardino shooter Syed Farook’s locked iPhone. Don’t get too comfortable, though, because this generation’s war between law enforcement and encryption technology has only just begun. They’ve still got lots of drug cases—the most common crime associated with requests to unlock phones—to crack, after all.
Elsewhere, we looked at how ISIS succeeds at social media, and at why the Department of Justice’s strategy of charging individuals, rather than nations, for hacking these here United States might backfire. More people want to shut down the dark web than don’t, but surely they’d feel differently if they saw this Tor relay sculpture in person. If it seems like hospitals have been a popular ransomware target lately, well, there’s good reason for that. And Reddit may have signaled that it got a National Security Letter, meaning it’s been asked to provide information about one or more of its users to the feds.
But there’s more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Maryland Ruling in Stingray Case Raises Questions About Convictions in 200 Other Cases
A significant ruling in Maryland’s state appellate court around police use of a cell-phone tracking device could put about 200 other cases in that state in jeopardy. The three judges on Maryland’s Court of Special Appeals found that Baltimore police violated the Constitution when they used a device called a Hailstorm to track the location of a shooting suspect without obtaining a search warrant first. A Hailstorm is a stingray device that masquerades as a legitimate cell tower in order to trick nearby mobile phones into connecting to them and revealing their unique device ID—which police can then use to track the location of the device. The court found this a Fourth Amendment violation, ruling that evidence used to convict the suspect—that pointed to both his location and the gun that was uncovered during a subsequent search of the apartment—was inadmissible, bringing the entire case into question. The ruling jeopardizes some 200 other cases involving convicted criminals in Maryland, as well as ongoing cases that involve the use of a stingray device. And although the ruling only sets a binding precedent for Maryland state cases and doesn’t directly affect federal cases in Maryland or elsewhere, it will likely embolden defense attorneys around the country to challenge the use of stingray devices in their cases.
Malware that targets everyday citizens is bad, full stop. But it can also be impressively clever! Police in Philadelphia suburb Chester County report that people have been receiving emails that contain fake speeding citations—along with a malicious phishing link. In itself, that’s not so surprising. But investigators report that the people receiving those emails really were speeding at the locations the citation claims. They suspect a hacker may have compromised a GPS-enable app to give their scam an added dose of veracity. So far only a handful of people have been affected, and the actual method responsible hasn’t been confirmed. If the scheme is half as clever as it seems, though—well, they should still cut it out.
Encryption Keys Could Be Star Witness in US Hacking Case
A British man, under arrest for allegedly hacking into Department of Defense computers as well as systems belonging to the Department of Energy, NASA, and other US agencies, has been fighting extradition to the US since 2013. But now he’s facing another battle in the UK, where authorities there are demanding that he hand over the encryption keys to unlock data on his Samsung laptop, two hard drives, and a memory card that were encrypted with TrueCrypt. Civil liberties groups are concerned that if UK authorities win this fight, it could set a dangerous precedent that makes it easier for UK authorities to demand encryption keys in the future from journalists, activists, and others.
Educating people about the importance of strong passwords? Great. Encouraging them to enter their own passwords into a text box to help “grade” how effective they are? Okay, sure, maybe. Applying zero security to the transmission of those passwords, so that anyone on the same network could pretty easily see what people were inputting? Okay, that’s where you lost us. And it gets worse! People who used an interactive feature on CNBC’s blog called “The Big Crunch” and hit the “Submit” button sent their passwords to a Google spreadsheet, which in turn was visible to dozens of third-party advertisers. The story was eventually pulled, but not before making a hash of the very lesson it was trying to teach.
Last month, the Department of Defense announced that it would roll out a program to pay rewards to friendly hackers who report security vulnerabilities in the Pentagon’s websites—the first ever “bug bounty” run by the federal government. The project seemed like a bold move from a Defense Secretary whose moves to modernize the military have followed in Silicon Valley’s footsteps. But the pilot program that actually launched this week is far less bold than it initially sounded. The “Hack the Pentagon” program, for now, will accept only bug reports from hackers who submit to a background check, vastly limiting participation. It will run for less than a month, ending May 12. And it will exclude any “mission-critical” sites, limiting the white-hat hacking to only a subset of military websites of the DoD’s choosing. The pilot program may yet be a conservative version of a more aggressive bounty set to launch later. But in an era when a company like Uber can launch its first bug bounty with $10,000 payouts, a loyalty program, and even a “treasure map” to help friendly hackers, the Pentagon’s attempt at security innovation doesn’t measure up.
Drug Cabinet Wins Award For Most Security Holes in One Device
We’ve written extensively about security problems in medical devices and hospital networks. But an alert issued this week by DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) gets the award for most vulnerabilities found in a single device—none of which the manufacturer plans to fix. Security researchers Billy Rios and Mike Ahmadi found more than 1,400 vulnerabilities in the Pyxis SupplyStation, an automated medical supply cabinet made by CareFusion that is widely used in hospitals and clinics to dispense drugs and track drug inventories. The vulnerabilities exist in older versions of the cabinet systems, however, which the company says have reached the end of their life; therefore CareFusion has no plans to patch them. Instead, the company advised customers still using them to reduce their risk of being hacked by disconnecting the drug cabinets from the internet or by taking other precautions.
In the ongoing comedy show known as the Internet of Insecure Things, security researchers have demonstrated an attack using that simplest of household appliances: the light bulb. Eyal Ronen, a researcher at the Weizmann Institute of Science, and his professor, the renowned cryptographer Adi Shamir, have shown that it’s possible to use internet-enabled lightbulbs for mischief ranging from exfiltrating data from airgapped networks to causing seizures in people nearby the lights. They showed that with malware planted on a PC connected to the same network as the bulbs, they could modulate the bulbs’ brightness to undetectably convey data on the network to a hacker with a telescope. Or, in an attack that sounds more useful for malicious pranksters than cyberspies, they could cause the bulbs to strobe at frequencies designed to cause epileptic convulsions.