Security News This Week: Russia and US Homeland Security Agree on Something for Once
This week, Excellus Blue Cross Blue Shield was hacked, and anywhere from 10 to 10.5 million people’s personal records were exposed. Lockpicking experts posted 3-D printable master luggage key files on Github. Apple fought back against a government request for data in the courtroom. Russian-speaking spy gang Turla hijacked satellite IP addresses from other users to steal data. And that’s not all. Each Saturday we round up the news stories that we didn’t cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted, and stay safe out there!
Kilton Public Library, located in the small town of Lebanon, New Hampshire, became the first library in the country to allow Tor users around the world to mask their locations by bouncing their traffic through the library’s middle relay. This effort came to a screeching halt when the Department of Homeland Security contacted the police department, and both city officials and local law enforcement officers expressed concern that Tor could be used by criminals. Which…yes, but Tor is also used by journalists, domestic violence survivors, human rights activists, privacy advocates, and even law enforcement officers themselves. The library agreed to turn off the relay temporarily. Its board of trustees meet on September 15, when they will vote on whether to resume running the anonymous web browsing service. The EFF started a petition to show support for Tor in public libraries, if you’re so inclined.
The Russian Interior Ministry is also reportedly out to get Tor, apparently hiring the Central Scientific Institute for Economics, IT and Management Systems (CSI EIM) to identify users of the Tor network. However, it looks like their attempts to compromise the anonymous browser have failed. Perhaps that is why CSI EIM plans to terminate its contract with the state without actually finishing the job.
As if using automated license plate readers to track vehicle locations—and then lying about it—isn’t bad enough, the Boston Transportation Department’s license plate reader system, run by Genetec, actually stored all of its records unencrypted and within public view, on an online server maintained by a Xerox subsidiary. Motor vehicle records, home addresses of anyone with a Boston parking permit, and other sensitive data was available to anyone who found the correct URL, until two weeks after Digboston reporter Kenneth Lipp alerted authorities to the fact, that is.
US Department of Energy (DoE) computer systems were compromised a whopping total 159 times between 2010 and 2014, federal records obtained by USA Today show. To make matters worse, attackers gained administrative privileges to Department of Energy computer systems in 53 of the 159 successful intrusions. There were 1131 attempts over the four-year period. All of that is a little disconcerting, considering that DoE data could give away information about the nation’s power grid, stockpile of nuclear weapons, and other critical details. In an audit report released almost a year ago, the Inspector General noted that 41 DoE servers and 14 DoE workstations had either default passwords or easily guessable ones. D’oh.
The Internet Assigned Numbers Authority and Internet Engineering Task Force have designated .onion domains, hosted on the Tor network, as “Special Use Domains.” The change, originally proposed by security researcher Jacob Appelbaum and security engineer Alec Muffett, enhances the security of .onion sites by allowing them get security certificates and enable encryption on their sites.
Even if you like viewing adult videos on your Android, it’s best to avoid the “Porn Droid” app, since it’s actually a LockerPin Trojan in disguise. Clicking through the installation for the app and downloading and installing an update gives it device administrator privileges, which lets it lock the device and reset the PIN. This is followed by a notice to pay $500, but since the new PIN is randomly chosen after reset, paying the ransom won’t actually help you. Luckily, there is a way to remove the PIN lock screen even without a factory reset in some circumstances.
In a post for the Huffington Post, FTC Commissioner Terrell McSweeny called for strong encryption to both thwart thieves and protect sensitive data. Although in strong contrast to statements from the FBI and NSA, McSweeny’s comments are similar to those of FTC Chief Technologist Ashkan Soltani.
Fake recruiters on LinkedIn are targeting security researchers in what may be an effort to map their social graphs. The “recruiter”sockpuppet accounts are each focused on particular types of security specialists, and this is their m.o.: each “recruiter” approaches their prey by “scouting” people for jobs for about a week before removing their profile pic, changing their name, and eventually removing their account altogether.
The battle between the US government and Microsoft over whether the Department of Justice can access a single Hotmail email account stored on a Microsoft server in Ireland continued on Wednesday in the second circuit court of appeals. The government considers the private emails to be Microsoft’s business records, accessible via a search warrant, while Microsoft contends that they are the customers’ personal documents. Microsoft has lost twice in court. A ruling in this case could come anytime between October and February 2016.
See the original post: