Security News This Week: Hillary Clinton Didn’t Delete Her Emails, She Super Deleted Them
Though the Internet is often an inhospitable place, a celebrity hack this week was particularly shocking and painful because of its racial and gendered undertones. Comedian and actor Leslie Jones had her Tumblr hacked on Wednesday. The attackers posted screenshots of her driver’s license and passport photos along with her phone number and Twitter password, nude pictures of her, and racist images. The photos seemed to come from Jones’ iCloud account. The Department of Homeland Security is investigating the incident, which serves as an unfortunate reminder that online harassment is an urgent problem.
Another big story that continues to evolve is the leak of National Security Agency hacking tools by an anonymous group called the Shadow Brokers. This week we reported on evidence that people are learning about and exploiting the vulnerabilities revealed in the data dump. This is not surprising, but it does speak to the risks the NSA takes by finding and keeping software bugs for its own use instead of disclosing them to companies to be patched. Meanwhile, WhatsApp changed its user agreement this week so it can share your phone number and other data with parent-company Facebook. The messaging service has always said it put privacy first, so the move is disappointing. WhatsApp users have 30 days to opt out, so get on it.
As if that wasn’t enough, this week researchers disclosed that a shadowy surveillance software company called NSO Group has been exploiting a sequence of three vulnerabilities in iOS to install sophisticated spyware on the iPhones of high-profile targets. Apple released a patch for the bugs on August 25. Given that the company’s iOS mobile operating system has a very strong security record until this point, the findings were basically unprecedented. But see below for even more research from this week exposing iOS bugs.
And there’s more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
We know that Hillary Clinton’s aides took precautions to make emails deleted from her private server unrecoverable, and on August 25 Rep. Trey Gowdy (R. South Carolina) named the program they used to do it. He said that the FBI’s investigation revealed that Clinton’s staff used BleachBit—an open-source tool for cleaning up and organizing digital files—to delete tens of thousands of emails. The program proudly touts privacy features on its website: “Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, [and] wiping free disk space to hide traces of files deleted by other applications.” Gowdy argued Clinton’s use of BleachBit makes it less likely that the emails she deleted were benign personal communications, as she has claimed. BleachBit said in a blog post that it has not been subpoenaed or served with a warrant in the Clinton email investigation.
Aaaaaaand another bug eats away at iOS. Researchers at three universities published evidence on August 25 of bugs in Apple’s Sandbox iOS feature, which keeps third-party mobile apps in “containers” to control what programs can access and do on a device. The tool is also meant to act as a defense against malicious apps. It’s already a big week for iOS security news, but these findings include seven (seven!) classes of vulnerabilities that could give developers or malicious hackers unauthorized power on iOS devices. The bugs could allow access to your contacts, location search histories, system file metadata—for example, where and when you took a photo, names, media libraries, and free disk space. The researchers also found flaws that could be used to let third party apps communicate with each other without permission or even block users’ own access to data on their phones. The researchers will present their full findings in October, and left some things out of this preliminary report because Apple is still working on patches for the bugs. The company likely won’t release fixes until the release of iOS 10 this fall, which may indicate that Apple doesn’t see the vulnerabilities as an urgent threat to iOS security.
This week, the dark web market site AlphaBay started accepting Monero, a cryptocurrency with an even bigger emphasis on anonymity than Bitcoin. Monero, which was first conceived in 2012 and developed in 2014, relies on some Bitcoin-like attributes, such as a blockchain and mining, but it isn’t built on Bitcoin’s source code. Instead of static usernames and wallet addresses, Monero generates unique addresses and “viewkeys” for each transaction so it’s harder for a third-party to see the details of a deal. Monero also does something called coin “mixing,” which groups transactions by size over a period of time. This makes transaction harder to trace. After the news broke, Monero’s price increased 200 percent.