Security News This Week: Turns Out Baby Monitors Are Wildly Easy to Hack
This week, malware hit jailbroken (mostly Chinese) iPhones, stealing 225,000 iTunes login credentials. Leaked documents show that diplomatic officials in the Ecuadorean embassy in London considered smuggling WikiLeaks founder Julian Assange to freedom in a diplomatic bag. The FBI obtained an audio recording of an “off the record and on background” confession made by accused kidnapper Matthew D. Muller speaking with a local television reporter. And Edward Snowden pointed out that other people go to jail for what Hillary Clinton did with her email server.
And that’s not all. Each week we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted, and stay safe out there!
If the thought of a hacker turning your baby monitor into a spy cam or using it to terrorize you or your child gives you nightmares, I’ve got bad news for you. When security firm Rapid 7 tested nine widely available internet-connected baby monitors for security vulnerabilities, the results weren’t pretty. “Eight of the nine cameras got an F and one got a D minus,” security researcher Mark Stanislav told Fusion’s Kashmir Hill. Security flaws included issues such as a lack of encryption, the use of default passwords, and access to Internet portals with the device’s serial number or account number. Rapid 7 disclosed the vulnerabilities to the companies, who will hopefully all take the information to heart. Stanislav recommends Nestcam (formerly Dropcam) for security, though Hill points out that law enforcement sometimes sends search warrants for the video. Another option is a radio frequency-based baby monitor, which could only be hacked by someone intercepting the radio signal with a sniffing device outside your house, rather than everyone on the Internet.
Two Vice news reporters who were filming clashes between security forces and youth members of the Kurdistan Workers’ Party in the southeastern Turkish province of Diyarbakir were arrested for allegedly ‘aiding an armed organization,’ a claim that Vice head of news programming in Europe said was “baseless and alarmingly false charges” and made “in an attempt to intimidate and censor their coverage.” Although the two journalists have been released, Mohammed Ismael Rasool, the translator who was arrested alongside them, has been kept in prison. An anonymous Turkish official told Al Jazeera that Rasool had “a complex encryption system on his personal computer that a lot of ISIL militants also utilize for strategic communications.” It turns out that this complex encryption system is simply an encrypted password-protected hard drive. Rasool denies the claim.
Netflix released Sleepy Puppy, an open source tool developed in house which flags potential cross-site scripting (XSS) vulnerabilities in secondary applications. The payload management framework will help security engineers identify XSS propagation through systems that aren’t assessed directly, simplifying the process and shortening the amount of time it takes them to remediate any issues.
British citizen Junaid Hussain, who had been working as a hacker for the Islamic State, was killed by a U.S. drone strike while he was in a car in Raqqa, Syria. Hussain, who was described in Islamic State communications as one of the group’s secret weapons, was reported to have hacked into U.S. military files and service members’ Facebook pages, posting personal and financial details online, and even doxing specific service members on his Twitter feed, as well as encouraging assassinations and attacks. He also developed a remote access Trojan, or RAT, to spy on machines. Hussain had previously served a prison sentence for hacking into British government files and posting national ID numbers (the British equivalent of Social Security Numbers), including that of former Prime Minister Tony Blair.
Genieo Innovation, a company known for pushing adware and unwanted apps, is at it again. Its Genieo installer has been caught accessing users’ Mac keychain without permission, or rather, it sneakily asks for permission to open Safari extensions, and then clicks the ‘okay’ button all by itself. Yikes.
It was only a matter of time. According to U.S. officials, foreign spy services, especially those in Russia and China, have been hard at work aggregating and cross-indexing all of those hacked U.S. computer databases, and using the data to identify U.S. spies, the L.A. Times reports. Cross-referencing and analyzing medical data from the Anthem breach, personnel records and security clearance application files from the OPM breach, passenger records from the United Airlines breach, and information from the Ashley Madison hack can paint quite a detailed picture of U.S. intelligence officers and agents. This information makes them vulnerable to blackmail and extortion from foreign intelligence agencies.
Former Secret Service agent Shaun Bridges pled guilty to charges of money laundering and obstruction of justice for stealing Bitcoin from Silk Road while investigating the site. Bridges, who is now considered a flight risk after trying to change his name and social security number, will be sentenced in December.