Security News This Week: Congress Celebrates the Snowden Movie by Slamming Snowden
Clinton and Trump aren’t the only ones campaigning this fall. The ACLU, Human Rights Watch, and Amnesty International came together this week in a renewed initiative to get whistleblower Edward Snowden pardoned by the Obama administration before he leaves office in January. Conveniently, Snowden, the biopic directed Oliver Stone, opens this weekend and portrays Snowden in an extremely positive light. As you’ll see in our news roundup below, however, Congress is far from convinced.
The New York Attorney General’s office announced that it’s cracking down on websites for kids that illegally track browsing. Meanwhile, the Justice Department is working to expand the scale and scope of law enforcement’s malware distribution and hacking. And it turns out that the FBI, despite its claims to the contrary, likely could have hacked one of the San Bernardino shooters’ iPhones without the cooperation it demanded from Apple. With an attack on the World Anti-Doping Agency, Russian hackers seemed to be getting even more more brazen than in their hack of the Democratic National Committee. In a long-awaited decision, a U.K. judge ruled that activist Lauri Love should be extradited to the U.S. to face hacking charges. And malicious third-party iOS app stores are distributing adware-laced Pokémon Go apps to millions of iPhones. (See more Pokémon Go-related malware below.) Oh, and it turns out that pixelating or blurring images to obscure the people and objects in them can be defeated by modern machine learning techniques. Not very comforting for all those unwilling guest stars on COPS.
And there’s more: Each Saturday we round up the news stories that we didn’t break or cover in depth but still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Three years after Edward Snowden walked out of the NSA with a trove of its secrets and flew to Hong Kong, the House Permanent Select Committee on Intelligence has released the first glimpse of its investigation into the fallout. And how convenient that it arrived 24 hours before the opening weekend of Snowden, the Hollywood film directed by Oliver Stone that portrays the young whistleblower as a full-blown hero. “Edward Snowden is no hero – he’s a traitor who willfully betrayed his colleagues and his country,” committee chair Devin Nunes wrote in a statement accompanying the three-page report. It accuses Snowden of faking performance reviews, lying about breaking his legs in Army training, and copying 1.5 million documents, thus endangering national security. In his Twitter feed and via his lawyer, Snowden denied most of those points. He wrote that he hadn’t actually faked a performance review but instead reported a security vulnerability in the review system, and that he’d spent weeks convalescing for his leg injuries in an Army medical center before walking out on crutches. As for the 1.5 million documents, his ACLU lawyer, Ben Wizner, called the tally “nonsensical,” saying that the NSA had overestimated the number because it couldn’t determine how many files Snowden had copied.
In 2007, the FBI impersonated an Associated Press editor to communicate with a suspected source of a high school bomb threat, tricking him into opening an email attachment that planted malware on his computer and revealed the 15-year-old’s location. When the incident was disclosed by the Seattle Times seven years later, the AP and several newspapers protested the tactic, which could inhibit the press’ ability to do its work without suspicion. Now the Department of Justice’s Office of the Inspector General has released the results of its investigation into the incident and essentially declared the move kosher. “FBI policies did not prohibit the practice of agents impersonating journalists, nor was there any requirement that agents seek special approval to engage in such practice,” the report states. The AP responded that it’s “deeply disappointed” in the decision, which “compromises the ability of a free press to gather the news safely and effectively and raises serious constitutional concerns.” The FBI, for its part, has since changed its policy to prohibit impersonation of the news media.
A Swedish appeals court upheld Julian Assange’s six-year-old arrest warrant, after he challenged it again. The WikiLeaks founder has spent more than three years living in the Ecuadorian Embassy in London because he claims that going to Sweden would put him at risk for being extradited to the U.S. on espionage charges related to classified information WikiLeaks has published. The arrest warrant is aimed at interrogating Assange; he hasn’t been formally indicted. The statute of limitations for the case is 10 years and will expire in 2020 if Swedish prosecutors don’t indict him by then, but they say that they are working to advance the case and Assange is scheduled to be interrogated by Ecuadorian officials on behalf of Swedish law enforcement in October.
Last week a hacker compromised all the login credentials of the science news service EurekAlert!, which journalists and public information officers user to access new research papers in advance of their publication. A German journalist notified EurekAlert! of the breach after the hacker attempted to sell him login credentials for the site. The attacker also released two news releases ahead of their embargo dates. EurekAlert, which is a division of the American Association for the Advancement of Science, took its site off line, and it’s been down since Tuesday evening. The service says that it has “rebuilt the EurekAlert! system environment” and hopes to reinstate the site over the weekend. When it’s live again, the site says that all passwords will be reset.
Kaspersky Lab recently notified Google that an app called “Guide For Pokémon Go” was actually a malicious Trojan lurking in its Play store. Users downloaded the app more than 500,000 times before the researchers caught it, and it infected at least 6,000 phones with malware. Once downloaded, the system appeared to offer real advice about Pokémon Go, but it also scanned its host device checking to see whether it was a private individual’s phone or a test unit used to detect malicious attacks. Only if the environment seemed safe did the Trojan begin downloading other malicious files. Kaspersky Lab found that, for now, the criminals running the attack use the Trojan to place adware on victims’ phones, but the researchers caution that the same system could easily be used to inject ransomware or other more damaging and intrusive malware.
Apple apparently raised the bar for bug bounties when in August it announced a $200,000 reward for any white-hat hacker who tells the company about a previously unknown full takeover technique for iOS devices. Now Google is matching that sum—for at least one lucky hacker. In a new contest it’s calling the Project Zero Prize, the company will pay out $200,000 to the hacker or team of hackers that submits the best sequence of vulnerabilities that can fully compromise an Android phone. (Modern hacking techniques typically require not a single bug, but many linked together to defeat all the protections of a device’s operating system.) The runner-up will receive $100,000, and other worthy entries will each receive $50,000. For now, only Nexus 6P and Nexus 5x phones are valid targets—after all, why bother digging up brilliant hackable vulnerabilities in the majority of other Android phones when their users don’t get patches for them?