Security News This Week: The NYPD Doesn’t Want You to Know About Its X-Ray Spy Vans
This week we found out that as many as 90 percent of people killed by US drones weren’t the intended targets, thanks to a ‘second Snowden’ who leaked a motherload of documents to The Intercept. The Democratic presidential candidates discussed Edward Snowden during the Democratic presidential debate, but only long-shot candidate Lincoln Chafee said he would welcome him home without any charges. French hackers showed they can remotely take control of Siri and Google Now by using radio waves from as far as 16 feet away. We took a look at the many ways cops could hack into your iPhone even without a backdoor. It’s not all bad news, though: Tech companies like Apple may have a new legal defense for resisting the government’s orders to unlock devices.
And that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
The NYPD has been using super ‘Z Backscatter Vans,’ secret X-ray vans that can see inside cars or even homes, but they don’t want to discuss even the most basic details of what they’re using them for—or whether they have any health risks. ProPublica filed suit against the NYPD three years ago when a journalist was denied access to training materials, police reports, and health tests related to the vans. The NYPD appealed the decision, and the New York Civil Liberties Union has asked for permission to file a brief in favor of the original ruling to the appeals court. The vans, which are used by US Customs and Border Protection to scan cars for drugs and explosives, cost as much as $825,000 each.
You can read what appears to be the final version of the Trans-Pacific Partnership’s intellectual property chapter on WikiLeaks, and it’s as bad as everyone feared. If ratified, it would give Trans-Pacific Partnership countries (including the United States, Canada, Australia, and nine others) more power to stop information from going public, block patient access to lifesaving medicines, destroy devices used for digital tinkering, prevent white hat security researchers from doing their jobs, and expand copyright terms to life plus 70 years. In some circumstances, penalties for copyright infringement could even include jail time. “The TPP is the archetype of an agreement that exists only for the benefit of the entitled, politically powerful lobbyists who have pushed it through to completion over the last eight years,” writes Electronic Frontier Foundation’s senior global policy analyst Jeremy Malcolm.
It’s not like Adobe Flash vulnerabilities are a surprise to anyone, but the timing of this one is a bit unfortunate: Adobe released a security update on Tuesday, but it doesn’t cover the latest zero-day that Pawn Storm attackers are exploiting in the wild. Their m.o. is to send foreign affairs ministers phishing emails disguised to look like international news stories, with links to the exploit. The rest of us are likely in the clear, but since Flash is an outdated software with a constant stream of vulnerabilities, now is the time to uninstall.
Just days after Uber fixed a vulnerability that let attackers control hacked Uber user accounts, drivers noticed that the new “Uber Partner” app was leaking other drivers’ personal information—social security numbers, driver’s license scans, tax forms, and more. Uber told Motherboard that the data leak affected no more than 674 drivers, and fewer than a thousand documents were exposed.
Apple removed several apps from the App Store that were installing root certificates that could be used to expose encrypted traffic and put secure data at risk. It recommended deleting not just the apps, but also their configuration profiles.
Things are a mess at the IRS, and we’re not talking about your taxes. It’s gotten so bad that the IRS needs to upgrade 110,000 ridiculously out-of-date Windows servers, but has one big obstacle in its way: It doesn’t know where about 1,300 of them are. Let’s hope it can find them before an attacker does, since it only takes ONE computer with an outdated operating system for a data breach, such as the one the IRS suffered earlier this year.
It turns out Apple has disabled its news app in China, though it won’t say why. While Apple News is only available in the US (and being tested in Britain and Australia), users with phones registered in the US can typically still see their content when they travel abroad. Not so for China, where they’ll be greeted with a message saying that news isn’t supported in their current region.
Hackers attacked the crowdfunding platform Patreon earlier this month, dumping the usernames, email addresses, and shipping addresses for 2.3 million users onto the web. Developer Rand Harper, founder of the Online Abuse Prevention Initiative and creator of the Good Game Auto Blocker, said that donors to her campaign had their information anonymously posted on pastebin. Her donors later received a mass email from a conservative journalist who threatened to contact their employers. But it’s backfired, according to Harper, since it brought visibility to online harassment and led to increased donations.
The Affordable Care Act’s healthcare.gov site attracted scrutiny in January for sending personal information (including zip codes, income level, age, smoking habits, and pregnancy status) to third party companies. In a victory for privacy advocates, healthcare.gov site has finally made some privacy improvements, and those include honoring the “Do Not Track” feature for users who have enabled it in their browsers. Users will also be able to disable tracking in their privacy settings, though they must accept a cookie from the site to store their privacy preferences.