Security News This Week: US Homeland Security Is Vulnerable to Hacks, Too
It’s been quite an eventful week for hacks. A lockscreen bypass attack for Android phones was detected, meaning it’s time to switch to a PIN or pattern unlock. And just because you’re on an iPhone doesn’t mean you’re exempt from phone hacking; you’ll want to turn off the Bluetooth-enabled Airdrop file sharing feature—unless you like malicious apps, that is. In a victory for privacy advocates, a small New Hampshire library did not succumb to bullying from Homeland Security and instead reinstated its Tor node after a board meeting. Oh, and a new crypto tool to anonymize surveys has come out. And, of course, a maker kid was arrested for bringing a homemade clock to school when his teacher thought it was a bomb. He’s now Silicon Valley’s newest hero.
But that’s not all. Each Saturday we round up the news stories that we didn’t cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted, and stay safe out there!
If you’re like most people, you’ve probably assumed that Facebook’s ad targeting algorithms are already using your “Like” and “Share” data to serve you targeted ads. Actually, that’s starting next month. Up ‘til now, the social media conglomerate has simply been logging the data and won’t begin using it to fine-tune ads until October. While there is a privacy setting allowing users to opt out of seeing targeted ads based on their online activity, the information is still being logged, so you can’t exactly opt out of having your web browsing tracked across multiple sites and browsing habits funneled into Facebook’s ad targeting system.
White House officials have apparently given up on legislation to address the rise of encryption, and may go so far as to publicly reject a law forcing companies to unlock customer communication devices under a court order, according to documents obtained by the Washington Post as well as comments from anonymous senior officials. The hope is that supporting encryption would repair trust in the government as well as U.S. tech companies. However, the intelligence community’s top lawyer, Robert S. Litt, thinks public opinion could turn in the event of a terrorist attack or a crime where strong encryption hinders law enforcement, and the government could always try to opportunistically backdoor encryption when that time comes.
The Department of Homeland Security may be in charge of protecting government security, but its own information systems are vulnerable to hacking, according to an audit. Vulnerabilities on internal systems used by Immigration and Customs Enforcement and the Secret Service to report investigation statistics, case tracking, and information sharing were found. The report by the Office of the Inspector General for the Department stated that the vulnerabilities found “may allow unauthorized individuals to gain access to sensitive data.” Although it found some progress with coordination between agencies, the audit recommended department-wide training and strategic planning in response to a cyber attack.
A GCHQ investigation revealed that ISIS hackers intercepted top secret emails from the British government, according to <em>Mirror</em>. Little information was revealed, except that ISIS apparently targeted information held by several of David Cameron’s most senior ministers, including Home Secretary Theresa May, possibly discovering events where government figures or British Royal Family members were expected to be in attendance. <em>Mirror</em> further reported that a ringleader of the alleged plot was killed by a drone strike.
After a lengthy legal battle, an 11-year-old gag order that the FBI imposed on Nicholas Merrill has finally been fully lifted, and in about 90 days the former ISP provider should be able to finally speak about the national security letter served on him in 2004, assuming the government does not appeal. The gag order was partially lifted in 2010, as reported by Kim Zetter, allowing Merrill to reveal his own identity.
The free, automated, open-source certificate authority Let’s Encrypt issued its very first certificate on Monday, in a milestone several years in the making. The service, which is provided by the Internet Security Research Group, will soon be rolled out to the broader public, making it easy and free for anyone with a website to obtain a trusted certificate required to move from HTTP to the much more secure HTTPS protocol.
Vodafone Australia Accessed Journalist’s Cell Phone Data to Try to Determine the Source of a Negative Story
The day after journalist Natalie O’Brien reported that Vodafone’s Siebel data system was vulnerable to hacking, and millions of customers were at risk, a Vodafone employee unilaterally accessed her phone call records and text message data to try to determine who her source was. Vodafone denies any “improper behavior.”
When you post a link on Twitter or send it in a DM, Twitter’s algorithms automatically shorten it to a http://t.co link, such as http://t.co1Db8axfrNM/, while still displaying the original text to users. But a proposed class action lawsuit filed Monday alleges that modifying URLs in this way is in violation of the Electronic Communications Privacy Act and California’s privacy law. Read the entire complaint here.
The security firm Malwarebytes found that a malvertising campaign on popular sites such as eBay, the Drudge Report, and Answers.com lasted almost three weeks. The ads did not contain malicious code, but instead led users to a page that tried to install the Angler Exploit Kit on their device. It’s unclear how many users were affected.
Continue at source: