Security News This Week: It’s Tech Versus the Government, Yet Again
In a move that had many scratching their heads this week, Twitter blocked the US intelligence community’s access to a breaking news alert service called Dataminr, whose algorithms sift through social media data, including Twitter’s, to spotlight important events and trends. Twitter said the move wasn’t new, that Dataminr’s service was always intended for the media and government agencies not in the business of surveillance, but some viewed it as an attempt by the tech giant to distance itself from government spying, a la Apple. IBM’s Watson supercomputer evidently doesn’t have the same compunction about working with the feds. As we reported, its deep-learning skills are being turned to criminal endeavors to help the feds fight cybercrime.
We reported on a different kind of Twitter surveillance in a story looking at a tool showing you which of your applications are reading your tweets in the background and mining other information from your Twitter account. And finally, we provided tips on dealing with ransomware for lawmakers and others targeted by the cyber extortion racket.
And there was more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
The widespread assault on encryption has been bleak the last few years, but this week brought a small beacon of light. A UK court shot down an attempt by British authorities to obtain the encryption key of an alleged hacker wanted in the US. Authorities raided Lauri Love’s UK home in 2013 on suspicion that he hacked computers belonging to the US Department of Defense, the Department of Energy and other government agencies. As part of the investigation into those hacks, UK authorities seized computers and hard drives from Love’s home and found that some of them were encrypted. When Love refused to hand over his password to unlock the devices, UK authorities let the issue go but kept his devices. But after Love, who has never been charged with any crime in the UK but is still wanted in the US, filed a civil complaint to get his devices back, UK authorities renewed their demand for his passwords and encryption keys, saying they wouldn’t return the devices unless he complied. But a UK judge told them that’s not how UK law works.
The FBI’s battle to get into the San Bernardino shooter’s iPhone ultimately proved to be successful. And that’s also the case, it turns out, with about 3,500 other digital devices investigators have seized in the last seven months, according to FBI Director James Comey. But it failed to access about 500 devices. Comey said the government is also having problems with WhatsApp, whose end-to-end encryption has affected investigations in a “huge way.” Comey said, however, that the government currently has no plans to go after Facebook, WhatsApp’s parent company, in the way it went after Apple in the San Bernardino case.
The government’s opaque use of zero-day exploits got even more opaque this week when the Feds announced that they would not identify the security hole in Firefox that they used to hack child porn suspects. Although the feds were forced to reveal the exploit to a defendant whose computer was hacked with the exploit, they have never revealed it to Firefox. This week the Mozilla Foundation, which created the Firefox browser, filed a brief in court stating that the government “must disclose the vulnerability to us before it is disclosed to any other party” so the hole can be patched quickly. “Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community,” Mozilla argued.
It’s hard to believe that Facebook, the social media behemoth at the center of so many privacy gaffes and controversies, would beat Twitter at protecting you, but that’s what it did when it announced an alliance with Tor in 2014 to lets you access the site anonymously. Now two years later, Twitter is in talks with Tor to possibly do the same for its users. The company may be slow to the game because it’s been battling for years with people who use Tor to mask their IP address to set up accounts to spam and troll other users. “There’s a lot of stuff going on,” Tor’s director of public policy told the Daily Dot. “We have been conferring with them. We’ve had productive meetings. We’re hoping for a hidden service and fewer problems [for our users].”
A security researcher’s efforts to “pentest” a Florida county’s elections site went way too far when he used a SQL-injection flaw he found in the web site to gain access to backend servers. Instead of leaving the matter there and reporting the flaw to the web site administrator and the elections supervisor who oversees the site, security researcher David Levin extracted credentials from a backend database he accessed through the site. Then he created a campaign video discussing the flaws with the election supervisor’s political opponent, who is trying to seize the supervisor job in an upcoming election. Levin was arrested last week and now faces three felony charges for unauthorized computer access.
Even Porn Sites Deserve a Little Prophylactic Protection
Bug bounty programs have been around for a decade but usually it’s the big players who offer to pay researchers for security holes found in their software and web sites. But this week Pornhub, which gets 60 million visits a day, announced it would now pay bounties to anyone who finds holes in its site—holes that hackers can use to infect or compromise the data of Pornhub visitors. The payouts range from $50 to $25,000.