Security News This Week: Someone’s Cutting Fiber Optic Cables in the Bay Area
This week, four men were indicted for hacking into JPMorgan Chase. The Tor Project accused the FBI of paying Carnegie Mellon researchers a million dollars for assistance in unmasking users. Even though authorities aggressively prosecuted Matthew Keys for his involvement in a 2010 hack of the LA Times’ website, they apparently never bothered to charge the alleged real hacker. Privacy advocates saw progress when an appeals court ruled that tracking web histories without a warrant can violate the Wiretap Act. And a federal judge ruled that the NSA’s controversial phone records collection program is unconstitutional, which sets a significant precedent. The investigative news site The Intercept got a scoop on US prisons, thanks to someone who leaked information using The Intercept’s anonymous SecureDrop platform. We showed you how to disable iPhone map’s tracking. And took a look at CSI: Cyber’s latest episode, which somehow didn’t get car hacking totally wrong.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
The FBI says that there have been 16 fiber cuts in the San Francisco Bay Area, which leads to the disruption of land and mobile phone service and internet access, as well as rendering ATM machines and credit card machines non-functional. Severing one or more fiber optic cables and disrupting telecommunications to large sections of the region—including Lawrence Livermore National Laboratory—requires crawling through manholes, typically late at night. Security experts and networking engineers say that if someone cut any Internet exchange points (IXPs), where major networks converge, it would cause the greatest disruption. IXPs are often privately held, and many are housed in buildings or manholes with limited security. One solution is to create redundancy by building more IXPs for a more robust network, or diversifying routing through alternative fiber networks.
After allegedly writing racist, threatening posts on the social media app Yik Yak, Northwest Missouri State University student Connor B. Stottlemyre and Missouri University of Science and Technology student Hunter Park were both arrested. Although users can create and read posts not attached to their names on the app, Yik Yak does have access to users’ IP address, the GPS coordinates of the message, the unique user-agent string identifier for each user, and sometimes their phone number along with the time and date of each message posted. Yik Yak may provide information to authorities even without a subpoena, warrant, or court order if a post poses a risk of imminent harm, the company’s communications director told the Daily Beast. Texas A&M University student Christopher Bolanos-Garza was arrested late last month for allegedly making a threat on Yik Yak.
European Authorities Coordinate Raids to Battle an Iran-Linked Cyberspy Group Called “Rocket Kitten”
European authorities are working together to prevent attacks from a hacker group called Rocket Kitten, which is believed to be linked to Iran’s Revolutionary Guard. Rocket Kitten has targeted high-profile military and political figures globally, including Israeli nuclear scientists, NATO officials, and Iranian dissidents, according to security researchers. The US-Israeli security firm Check Point Software says it’s discovered the inner workings of Rocket Kitten’s cyber espionage campaign, including a list of targets. So national computer security response teams in Britain, Germany, and the Netherlands moved to shut down the “command and control” servers the hackers were using to mount attacks.
If you have a Vizio Smart TV, you’d probably want to know that its “smart interactivity” feature, which is on by default, closely tracks your viewing behavior and shares it with advertisers. As if that’s not bad enough, Vizio is now combining that information with that from other devices sharing the same IP address—and data brokers can already use IP addresses to determine age, profession, and more. While cable and video rental companies can’t legally sell information about their customers’ viewing habits, these laws don’t apply to Vizio. Maybe this is a good reason to stick to dumb TVs—at least for now. Vizio doesn’t have great security either—researchers recently showed that its smart TV is vulnerable to man-in-the-middle attacks because it didn’t validate the HTTPS certificates of the servers it connected to. Vizio says it’s issued a self-installing security update.
In an attempt to monitor drug traffickers across the country, the DEA secretly intercepted tens of thousands of calls and texts in the LA suburbs. A single state court judge, Helios Hernandez, authorized this massive wiretapping operation, and earlier last year he approved nearly five times as many wiretaps as any other judge in any jurisdiction in the country. Justice Department lawyers have mostly refused to use the data in federal court because the applications approved by state judges fall short of what’s required by federal law. Although police aren’t supposed to record calls that aren’t relevant to their investigations, reports filed by judges and prosecutors show that the vast majority of the 2 million+ communications intercepted were not related to crime. Since the DEA’s practices are usually a sign of what the future US spying will look like, this legally questionable wiretapping operation is pretty disconcerting.
Looks like someone sold 590,000 Comcast email addresses and passwords on the deep web, but—plot twist—the purchaser may have been Comcast itself, given the speed of their response. Only about 200,000 of the accounts were active, and Comcast forced password resets for those impacted. A Comcast representative told CSO that none of its systems or apps were compromised.
Not only has the US military given up on the custom-built encrypted cell phone that it took $36 million and five years to develop, but it’s also lagging behind on crucial security upgrades for its other devices. In fact, phones used by military officials and officers for non-battlefield communication may have remained vulnerable to Stagefright bugs for nearly five months after the bug was discovered. That’s because military users have to wait until the Pentagon independently tests and then approves patches. The military can shut off certain features on phones until this approval takes place, and it has a firewall system in place, but unpatched phones may still be vulnerable to attack. To make matters worse, telecoms and manufacturers are often slow to push out patches and don’t even provide them for the older models often used by the military.
View original post here –