Security News This Week: Hacked Toymaker VTech Now Makes Home Monitoring Tech
This week, ProPublica launched the first major news site on the deep web. Twitter reversed its stance on Politwoops, allowing it to record and share politicians’ deleted tweets once again. Comcast XFinity’s home security system was revealed to leave users’ homes vulnerable to thieves with radio jammers. A report published by the Electronic Frontier Foundation concludes that T-Mobile is throttling video for unlimited streamers, and T-Mobile’s CEO drew even more attention to the issue with an unhinged video rant. And cryptographer David Chaum proposed a controversial app called PrivaTegrity, which would run on a system that could allow revocation of anonymity by a nine-person backdoor council.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
The kids’ electronics manufacturer that was hacked in November expects you to trust its new home monitoring devices
Last November, a hacker who broke into kids’ gadget maker VTech’s system was able to access names, home addresses, email addresses and passwords of more than 4 million parents and 6 million kids, including tens of thousands of kids’ photos and chats between kids and their parents. Now, VTech is expecting customers to trust it with its new line of home monitoring devices, such as cameras and sensors, all accessible through a single smartphone app that allows parents to check in on their kids and even record video. (Color me skeptical.) Although VTech’s product marketing director told Motherboard that the new products are undergoing penetration testing by a third-party vendor, the company declined to share the specifics.
Malware infecting regional power authorities in Ukraine led to a massive power outage late last year, leaving hundreds of thousands of homes without electricity. Security researchers at iSIGHT Partners analyzed samples of the malware, and stated that the malicious code led to events that caused the power outage. Security researchers at antivirus provider ESET stated that Ukrainian power companies were infected with “BlackEnergy” malware, which has the capability of causing the blackout. ESET stated that the power authorities were hit with malware via social engineering after using malicious macro functions in Microsoft Office documents.
A position paper published by the Dutch Ministry of Security and Justice is firmly opposed to the introduction of encryption backdoors, stating that giving authorities access “would also make encrypted files vulnerable to criminals, terrorists, and foreign intelligence services” and lead to undesirable consequences. The position paper comes on the heels of the Dutch government approving a $540,000 grant to the OpenSSL project, a software library used in applications that secure and authenticate communications.
Henry Schein Practice Solutions, a company selling office management software to dental practices, has agreed to pay $250,000 to the Federal Trade Commission to settle charges that it misled its customers about the level of encryption it used to secure patients’ sensitive medical data. Although Schein promised industry-standard encryption, its Dentrix G5 software used a standard that was weaker than government recommendations. The company must also notify software users about its substandard encryption.
Michael Hayden, the former director of the CIA and NSA, argued against encryption backdoors while speaking on a national security panel hosted by the Council on Foreign Relations. He stated that the government can get around encryption by collecting metadata. In contrast, former US deputy attorney general Jamie Gorelick and former U.S. Customs and Border Protection commissioner Robert Bonner argued on behalf of legally mandated backdoors.
Uber has agreed to pay a $20,000 fine to the New York attorney general’s office after a 14-month investigation over its privacy practices and “God view” aerial tracking system. The fine was for failing to report unauthorized third party access to drivers’ personal information in an expedient fashion. Uber states that it has removed all personally identifiable information of riders from the aerial tracking system, that employees only have limited access to rider information, and that it has begun auditing employee access to personal data. The company has also agreed to encrypt and password-protect geolocation data, only allow access to it for employees with “legitimate business purposes,” and incorporate multi-factor authentication to secure access to personal data.
House Committee Suddenly Cares About NSA Surveillance After Private Conversations Between US Lawmakers and Israeli Leaders Were Captured
Now we know what motivates the government to act on surveillance: After the Wall Street Journal reported that NSA targeted communications with Israeli leaders, including private conversations with US lawmakers, the US House Intelligence Committee is exploring whether additional safeguards are necessary to protect members of Congress—and Americans—from incidental collection of private conversations.
While speaking on a panel at CES, FTC chairwoman Edith Ramirez admitted that she uses a pedometer rather than wearing a Fitbit because she doesn’t want her sensitive health information being shared. She raised concerns about ubiquitous and sometimes unnecessary data collection by companies, and called on consumers to be cautious about how their information is being used, and with whom it is being shared.
Sorry, Naruto, but it’s looking like monkeys can’t own the rights to their own selfies. A federal judge ruled that Naruto, a six-year-old monkey, does not own intellectual property rights to selfies he snapped during an Indonesian jungle photo shoot. The pictures in question are in the public domain, since they wereproduced by the macaca nigra monkey. Naruto—or rather his lawyers, representing People for the Ethical Treatment of Animals—were seeking monetary damages for copyright infringement. The Judge did not dismiss the case, however, and his forthcoming written order may allow PETA to amend its lawsuit.