Security News This Week: The US Won’t Force Companies to Build It Backdoors—For Now
This week, journalist Matthew Keys was found guilty of aiding members of Anonymous to hack his former employer. Verizon will limit its ‘zombie cookies’ to Verizon-owned sites and the company’s partners, including AOL. A European Union court declared the US doesn’t provide adequate safeguards for personal information. The German activist group Intelexit has started using drones to drop anti-spying leaflets over an NSA facility in Europe. WikiLeaks is crowdsourcing a $50,000 bounty for video footage and cockpit audio of the US airstrike on the Doctors Without Borders hospital in Kunduz, Afghanistan. California passed comprehensive digital privacy legislation requiring a warrant for location data, content, metadata, and device searches. And we took a look at ProtonMail’s security strengths and weaknesses.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted, and stay safe out there!
The Obama administration has decided not to pursue legislation forcing tech companies to decrypt messages for law enforcement—at least not for now. Instead the administration will continue pressuring companies to weaken their own security by voluntarily creating government backdoors. A coalition of industry and privacy groups, SaveCrypto.org, is calling on the White House to publicly support strong encryption, and outright reject any policies that would undermine security. “The government should not erode the security of our devices or applications, pressure companies to keep and allow government access to our data, mandate implementation of vulnerabilities or backdoors into products, or have disproportionate access to the keys to private data,” the site reads.
Police have voluntarily instituted policies over how long they can store license plate data, which includes photographs of vehicle license plates along with GPS data and time markers. Private databases, on the other hand, keep their scans forever. So of course police are buying access to these databases, which include license plate photos taken by repo men and tow-truck drivers. Of course, law enforcement can use the license plate data to identify crime suspects, but they can also use it to surveil individuals and determine their travel patterns and the types of businesses they frequent. That’s why privacy advocates argue that police officers should need a warrant to access these databases.
Now that schools are legally obligated to monitor their students for so-called extremism, the software company Impero has developed a library of “radicalization keywords” as an add-on to its Education Pro monitoring software. This software will flag students who search for names of Muslim political activists or words such as “caliphate,” “apostate,” ‘jihadi,” or “Islamism,” on classroom computers. Teachers will receive a “violation alert” to let them know when a student has searched for an offending term, and they can then save screenshots or videos of the thoughtcrime to share with the government. What could go wrong?
Researchers from the security firm Cybereason discovered malware that can infect organizations’ Outlook Web Application mailservers over a long period of time, stealing the organization’s email passwords in the process. The security firm found a rogue DLL file on their client’s OWA server. Backdooring Outlook Web Application’s configuration allows attackers to collect and retain ownership over a large set of authentication credentials.
As if getting a bombarded by real recruiters on LinkedIn isn’t bad enough, now there’s a new threat on the networking site: suspected Iranian hackers posing as recruiters from major international companies. The group operating out of Iran is having a bit of luck, according to a report from Dell’s Secure Works unit, as researchers found that the 25 fake accounts they analyzed have connected with more than 200 legitimate LinkedIn users–including 12 from the US. After initially connecting, the fake accounts send their targets malicious files, designed to look like resume applications, for example, to compromise their computer and gain access to sensitive information.
Before the Burlington, Mass.-based startup LoopPay was acquired by Samsung for more than $250 million, it was hacked by Codoso Group (aka Sunshock Group), a hacker group affiliated with the Chinese government. The Codoso hackers were inside LoopPay’s network for five months before they were discovered. Codoso Group was apparently after the company’s magnetic secure transmission tech, which is central to Samsung Pay’s mobile payment wallet that just debuted publicly on September 28. The company believes only their corporate network was hacked, but not the production system that helps manage payments. As far as they know, no customer data or financial information has been stolen. However, Codoso Group often plants hidden backdoors across the systems of its victims, so it’s possible that the forensics teams investigating the breach may find more surprises.
Security researcher Gianni Gnesa was planning to give a talk about network surveillance camera vulnerabilities at the Hack-in-the-Box GSEC Singapore conference. He diligently disclosed the bugs and sent proof-of-concept exploits to the three affected vendors three months before the talk would’ve taken place. In addition, Gnesa also emailed the affected manufacturers and offered to let them review the content of his presentation so he could make changes. Despite this, Gnesa ultimately chose to pull his talk due to legal pressure from vendors. It’s too bad that threatening security researchers won’t actually fix the vulnerabilities.
The Hillary Clinton email saga ain’t over yet, as the FBI continues to investigate whether classified email was improperly stored or transmitted through her server. This probe now includes Datto Inc., a second data company that was hired by Platte River Networks in May 2013 to provide backups of the Clinton e-mail accounts. (The Clinton family hired Platte River Networks to manage the system once Hillary Clinton’s term as secretary of state commenced.) Datta Inc. will provide the FBI with information it preserved from her account, if available. The FBI’s probe is in addition to the Justice Department’s independent review.