Security This Week: Peek Inside the Government’s Spy Gear Catalog
This week, Congress shamefully snuck CISA into the omnibus bill, which passed in both the House and Senate. The GOP debate proved that the slew of Republican candidates—with Ted Cruz and Rand Paul as possible exceptions—don’t have a clue about technology. We took a look at the greatest hits of YouTube’s favorite hacker, Samy Kamkar. And WikiLeaks founder Julian Assange will finally get his day in court—or in an Ecuadorian embassy office. Six men were charged for a massive fraud scheme selling pirated copies of Adobe and Microsoft products. Obama said that the federal government vets social media as part of the visa review process. And tech giant Juniper Networks revealed that it found a hidden backdoor in its own code.
And that’s just the start of it. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
Just in time for Christmas, The Intercept obtained a secret, internal government catalog of surveillance devices used by federal law enforcement and local police. The catalogue was obtained from a source within the intelligence community who is concerned about the increased militarization of domestic law enforcement. It includes details about cell site simulators such as Stingray and Boeing dirt boxes. Some of the spy toys can be used for geolocation. Others can be used to snoop on phone calls and text messages. A few can even extract media files, address books, and notes from captured phones. One can even retrieve text messages that have been deleted. Critics have long maintained that use of the devices often violates the Fourth Amendment and other constitutional rights. Many are used without warrants, or with overly broad warrants. Judges and privacy advocates alike have expressed concern that the devices are used without full disclosure of their capabilities, even within court proceedings.
Anti-virus provider MacKeeper left 13 million users’ data vulnerable. A database with 13 million Mac owners’ records was accessible by visiting some four specific IP addresses—without even having to enter a username or password, security researcher Chris Vickery discovered. Vickery gained access to names, usernames, email addresses, password hashes, IP addresses, system information, software licenses, and activation codes. The passwords were unfortunately protected with the weak hashing algorithm MD5, and weren’t even salted. To make matters worse, the database didn’t even require a username or admin password. Vickery simply used the Shodan search tool to find the open database. Luckily, only the security researcher gained access to the data, according to MacKeeper, and the hole has since been patched. MacKeeper was already in the process of upgrading to SHA512 before all this happened, the company told Forbes.
In the biggest overhaul of European privacy laws in 20 years, the European Union approved new rules for data protection on Tuesday night, giving consumers more control over how their data is used or retained. Companies that don’t follow these rules will face large fines. The law also expands potential liability for companies for data breaches to both data processors and data controllers, rather than just controllers, and mandates a data protection officer for large companies, and any size companies where data processing is a key component of their business. All 29 EU member countries must adapt the national law or pass new ones within two years of when this law is officially published, likely early next year.
Ninety-three percent of Brazil’s internet users depend on WhatsApp, but the Brazilian government tried to ban it for 48 hours anyway because the company apparently did not respond to a court order. Luckily, a judge overruled the decision and lifted the ban after only 12 hours—you know, because it has a negative impact on millions of users. The judge recommended that WhatsApp pay a fine instead.
From the “encryption for me, but not for thee” department: the US government may be fighting for crypto backdoors, but it has also cleared Silent Circle’s encrypted phone app, Silent Phone, for its own use. The app allows users to make end-to-end encrypted phone calls from iOS and Android devices, including the Silent Circle Blackphone 2, of course.
Time for most Linux users to install an emergency patch to prevent being hacked by anyone with access to their computer. This silly bug gives anyone who hits the backspace 28 times the ability to bypass authentication and own the machine by causing an error in the system’s memory which then launches the rescue function. The researchers say that the attacker can access the Grub rescue shell and get access to the computer’s data, as well, allowing them to steal or destroy it, or to install persistent malware.
Facebook has made some changes to its controversial ‘real name’ policy this past Tuesday. Previously, the social network insisted that people use their birth names on the site, and allowed users to easily flag people using a “fake name.” Then, pseudonymous users then had their accounts suspended and were required to provide official documents to verify their identity. Facebook could even change the name they used to that on a document sent in without their consent, leaving domestic violence survivors, transgender people, and other marginalized folks more vulnerable. After much criticism, Facebook has agreed to make some modifications to its name verification rules, and change how fake names are reported. People flagging accounts will have to provide more information, and users reported for using pseudonyms will have seven days to access their profile while appealing the challenge, and will be provided with options to explain their situation if they are using a nickname or pseudonym for a special circumstance. (Facebook isn’t ready to let go of the policy completely, and some activists believe the changes don’t go far enough, but this is a start.) The updated reporting system is already available in the US and may be rolled out internationally.
The DEA secretly collected billions of American’s international phone calls from the 1990s to 2013. EFF filed a lawsuit on behalf of Human Rights Watch in 2015, challenging the legality of the program. Human Rights Watch agreed to dismiss the case after the government has stated, under penalty of perjury, that bulk collection has ceased and the database containing billions of call records collected by the DEA has been destroyed.
Twitter issued warnings to a handful of users that their accounts may have been targeted by state-sponsored actors seeking to access IP addresses, email addresses, and phone numbers. Little other information was given.
Continue reading here: