Security News This Week: The FBI Gets Creative to Avoid Disclosing Its $1M iPhone Hack
Yep, we finally did it. After years of pointing out the privacy and security issues in other web sites, WIRED.com finally addressed one of its own longstanding security issues—by rolling out HTTPS for our security channel. It’s a move everyone should follow, though we’re the first to admit that the technical challenges are not trivial. The rest of WIRED will get the same HTTPS treatment in the coming weeks.
But there are still plenty of security holes in the world—including the longstanding one at the core of our cell phone networks, which attackers are actively exploiting to track cell phone users and intercept their calls and texts.
This week, we also looked at how to ensure that your encrypted messages really are encrypted and at the reassuring reality that even beautiful people suffer the same security indignities as the rest of us.
And there was more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
WIRED wasn’t alone in converting to HTTPS this week. Google also announced that all traffic between web sites and Google Analytics will use HTTPS, regardless of whether those sites are using HTTPS themselves. Google showed in an audit this year that 79 of the web’s top 100 non-Google sites don’t deploy HTTPS by default—and that’s a big deal, since those sites comprise about 25 percent of all internet traffic worldwide.
It wouldn’t be another week without a new episode in the FBI vs. Apple saga. This week, officials said the FBI is unable to disclose details about that apparent $1 million vulnerability it bought from hackers to break into the San Bernardino iPhone because it doesn’t know the details. “The FBI knows how to use the phone-hacking tool it bought to open the iPhone 5c but doesn’t specifically knows how it works,” the Wall Street Journal reported. That ignorance no doubt is by design because it prevents the FBI from disclosing the vulnerability or vulnerabilities to the government’s so-called Vulnerabilities Equities Process. The VEP is a process whereby the NSA and other government entities that discover or purchase a zero-day vulnerability or exploit have to disclose it to a government review process to determine if the security hole should be disclosed to the software vendor to be fixed or if it should be withheld so that the NSA, the FBI and other government entities can exploit the flaw to hack into the systems of surveillance targets and criminal suspects.
Remember those hackers whose $1 billion bank heist got spoiled by a typo? The hackers misspelled “foundation” as “fandation” in a wire transfer request to the Bangladesh Bank, which prompted bank authorities to halt a money transfer order—but not before the hackers had already absconded with $80 million. This week we learned that the hackers might have used malware that targets vulnerabilities in software at the core of the SWIFT platform. The Brussels-based SWIFT, or the Society for Worldwide Interbank Financial Telecommunication platform, is the heart of the global financial system; it allows financial institutions to interface with one another and transfer money around the world. The hackers allegedly altered the software on the Bangladesh Bank’s server to thwart detection of the fraudulent transfers.
It wouldn’t be a new week if there wasn’t another security breach to report. This time around, the music service Spotify was the target of hackers, who posted the credentials for hundreds of Spotify users on the hacker-friendly site Pastebin. The leaked info includes email addresses, usernames, and passwords. Spotify denied it had been hacked but didn’t say how the credentials might have leaked otherwise. Regardless, users reported suspicious activity on their accounts, including being kicked out by apparent intruders.
Voters have yet to decide who will be the Republican presidential nominee, but two of the contenders, Ted Cruz and John Kasich, got a no-vote of sorts after security researchers discovered that the phone apps they’ve distributed to voters are leaking personal data. According to Symantec researchers, the Cruz Crew app makes it possible for hackers to capture a phone’s unique ID and other personal information; the Kasich 2016 app could expose location data and other personal information. The Cruz camp didn’t concede victory to Symantec, however. “If Symantec had looked more carefully,” a spokesman testily told a reporter, “they would see that the app requests the device info, but this info is never sent anywhere. The Cruz Crew app is the most secure, popular, and effective app of any 2016 presidential candidate.” He should probably consider that some hackers will take that as a challenge.
The American Dental Association discovered the hard way why distributing information to members via a USB stick isn’t the most secure solution. Apparently, the ADA mailed dental offices a USB stick containing a file that attempted to access a web site known to distribute malware. “I bet some marketing genius had this wonderful idea instead of making it downloadable,” one of the recipients wrote on the DSL Reports Security Forum. “I can’t wait to plug an unknown USB into my computer that has PHI/HIPAA on it.” After the news spread, the ADA sent an email to recipients telling them to toss the USB if they hadn’t used it yet, and to instead visit the ADA web site to download the information it was trying to send on the USBs.