Security News This Week: Edward ‘Scissorhands’ Snowden Deserves to Be Free
It’s been a busy week. The world’s most famous whistleblower, Edward Snowden, set up his own Twitter account. Banks and retailers in the US hit their deadline for switching to microchip-embedded bank cards, but it turns out the chip ‘n’ signature cards won’t actually eliminate fraud. Hackers stole private information from 15 million T-Mobile customers by targeting Experian, T-Mobile’s data-collecting business partner. Members of the security community tried, and failed, to agree on the right way to handle security vulnerability disclosures. A security consultant revealed a tool that finds security vulnerabilities in auto repair shop equipment that could of course also be used to infect other cars with malware. Meanwhile, Berlin-based anti-surveillance activists launched a campaign to get agents to quit NSA or GCHQ. Oh, and there’s a new privacy-focused Silent Circle Blackphone.
But that’s not all the security news this week. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted, and stay safe out there!
Edward Snowden opened a Twitter account on Tuesday, and quickly amassed more than 1.2 million followers. When HLN anchor Yasmin Vossoughian interviewed comedian Jon Hendren about this, Hendren hijacked the segment to talk about Edward Scissorhands instead. It’s unclear whether Vossoughian was playing along or just completely checked out, but she didn’t visibly react to Hendren’s comments on how “people didn’t get scared until he started sculpting shrubs into dinosaur shapes and whatnot,” or referring to, uh, Edward as having scissors for hands and no heart, and poking a hole in a waterbed with his scissor fingers. Anyway, you have to see it to believe it, so watch for yourself.
Time for Patreon members to change their passwords, now that hackers have dumped usernames, email addresses, and shipping addresses for 2.3 million users. The crowdfunding platform lets artists, musicians, and writers receive funding from patrons when new material is released, or on a recurring basis. The hackers apparently accessed Patreon’s database through a debug version of the site. No credit cards were compromised.
Take a deep breath and get ready for this tangled web of, uh, oversight… the Justice Department’s Office of the Inspector General is investigating the FBI’s use of info taken from the trove of telephone metadata collected by the NSA. It turns out that the NSA shared daily metadata reports with the FBI from at least 2006 to 2011, though it may have gone on longer. The OIG is also investigating the DEA’s use of parallel construction, which is a technique where investigators glean insight from sources like the NSA and use the information to aid in criminal investigations while covering up or lying about the sources.
Security researchers at Symantec have uncovered an unexpected kind of malware—instead of attacking its victims, it protects them. Wifatch, as it’s called, is a router virus that deletes other malware and even cuts off the channels that other malware could use to attack the router. It even reminds users to update the device’s firmware when they try to access the Telnet feature. Symantec estimated that around tens of thousands of devices are infected.
Just as we started to forget about the specter of Stagefright, the same security researcher who discovered the original series of Android bugs found two new bugs that make Android phones vulnerable to hacking. All the attackers need to do to wreak Stagefright 2.0 havoc is to encode and deliver malicious code via an MP3 or MP4 file, and it’s game over for the Android user. (Go auto-preview?) Google is apparently working on patching this vulnerability in time for the October 5th monthly security update.
Ever wanted to know how politicians stand on surveillance reform? This new website will be music to your ears. The nonprofit organizations Restore the Fourth and Fight for the Future have launched a user-friendly Political Scoreboard that ranks each member of Congress on their critical legislative votes related to government spying. Each legislator has grades and is placed in “Team Internet,” “Team Surveillance,” or “Unclear.” You can view politicians by state or chamber, and click through for more information on how the legislator voted on various bills, as well as more information on the bills themselves, and also tweet out a legislator’s grade and associated link directly from the site.
Not only is presidential candidate Carly Fiorina a fan of warrantless surveillance, she actually helped the NSA do it. In the aftermath of 9/11, the former HP CEO rerouted truckloads of HP servers originally destined to retail stores to the NSA for the program known as “Stellar Wind.” That could be why former NSA director (and then-CIA director) Michael Hayden appointed Fiorina as chair of the CIA Eternal Advisory Board in 2006, a year after she was forced to resign as HP CEO.
The CIA pulled officers from the US Embassy in Beijing as a precautionary measure, since the breach of federal personnel records likely blew their cover. The OPM records had background check information on State Department employees, which could have been cross-referenced with the list of embassy personnel to identify CIA officers . Although US officials have privately blamed the attacks on the Chinese government, senior defense and intelligence officials are reticent to recommend that the US retaliate on cyberespionage, since it’s something the US engages in as well.
Journalist Matthew Keys faces computer hacking charges under the Computer Fraud and Abuse Act for allegedly posting user credentials for Tribune Company’s content management system on an Anonymous IRC channel. His trial began this week. Keys worked as a web producer for KTXL, a Fox affiliate owned by the Tribune company, and allegedly still had CMS access after leaving his position. An LA Times article was apparently defaced for around 40 minutes. The prosecutors claim the Tribune spent over $5,000 to fix the defacement.
For some reason, people keep thinking that cutting and pasting legalistic language will magically protect their Facebook photos and posts from copyright violations. These types of status updates saw an upsurge this week, although they have been thoroughly debunked. Pro tip: your legal rights on Facebook are determined by the Terms of Service, not a status update. If you’re worried about your privacy, changing your settings, or (gasp!) stop using Facebook altogether.
See original article here –