Security This Week: Apparently China Is Still Hacking US Companies
This week, a group of teenagers hacked CIA director John Brennan’s private AOL account, and WikiLeaks started publishing his leaked emails. Some ingenious French criminals exploited the supposedly secure chip and pin credit cards that are even more secure than what the US just adopted. (Let’s just say we told you so.) Facebook will now warn users about nation-state attacks, but it will also allow users to find public posts using search, so you may want to consider hiding yours. And WIRED set the record straight on the importance of reporting on car hacking.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
The US and China reached a historic agreement last month to stop hacking into each other’s systems to steal economic secrets. But according to the American security company Crowdstrike, this hasn’t stopped hackers with ties to the Chinese government from continuing to target US companies. In fact, one attack took place the very next day after the agreement was reached. However, there’s a possibility that the hackers were acting on their own rather than following government orders.
Computer scientists at Boston University warned that the Internet’s time-synchronization system has weaknesses that can be exploited. Attackers could spy on encrypted communications, go back in time to accept fraudulent certificates that have since been revoked, prevent time-synchronization updates and cause outages, and even bypass security measures that are intended to prevent the tampering of domain name systems. Not to worry, though, there are ways to tighten the Network Time Protocol’s security.
Remember Carl Mark Force IV, the DEA agent who pleaded guilty to extortion, money laundering, and obstruction of justice he committed while working to take down Silk Road? He’s going to prison for six and a half years and has been ordered to pay $340,000 in restitution.
First, Google said it’d make full-device encryption mandatory for new devices running Android 5.0. Then it changed its mind, and merely recommended it rather than requiring it. Now it will require it for Android 6.0, but only for phones that meet minimum speed and crypto performance requirements. Sadly, that doesn’t include users of most Android phones being sold and used today, Ars Technica reports.
Ever wanted to read a publicly funded research study and found yourself bugging random grad students you know because you couldn’t afford the exorbitant fee? Now you can ask for it on Twitter with the hashtag #ICanHazPDF. Make sure to include your email address in the tweet, and delete it as soon as you get the article. And don’t thank people–it’s incriminating. Just ask Colombian student Diego Gomez, who’s on trial for sharing another researcher’s Master’s thesis on Scribd. Good Samaritans with access to academic journals can share links with friends and strangers, but as Electronic Frontier Foundation activist Elliot Harmon rightly points out, this does little to address the underlying issue. “When only people with large budgets or institutional connections can access and use research, it puts many others at a severe disadvantage. No hashtag can change that.”
Turns out that giving your electric kettle your Wi-Fi password leaves that password vulnerable to attackers. Researchers from Pen Test Partners aimed a directional antenna at houses with iKettles, spoofed the original network’s SSID, and got the iKettle to connect to their networks using the password for the original Wi-Fi network they were connected to. Perhaps someone should’ve just invited them in for tea.
Members of the House Committee on Oversight and Government Reform were concerned that the Obama administration’s federal guidelines for stingrays—which require a warrant in most cases—don’t offer any meaningful privacy protection when it comes to use of the invasive surveillance devices by state and local law enforcement agencies. Since there are way more stingrays used on the local level than on the federal level, here’s hoping they follow suit. Ideally without the vague exemptions.
If you’ve ever gotten a warning that a site you’re visiting contains malware, and gotten really confused, you’re in luck–Google has launched a Site Status section in its transparency report that’ll allow you to search a blocked URL and find out why Google’s systems have flagged it.
The government of the Republic of Congo temporarily cut access to the country’s main ISP ahead of protests against a referendum allowing the current president to be eligible for a new term. Unfortunately, the world has seen this tactic used before, by Egypt during the Arab Spring, as well as countries such as Syria and Pakistan.
Link to original –