Security This Week: Tax Day Is Near, and the IRS Is as Hackable as Ever
There’s rarely a boring moment in the security world. This week, a former journalist, Matthew Keys, was sentenced to two years in jail for aiding Anonymous hackers who briefly defaced a headline on the LA Times website. Keys was charged under the Computer Fraud and Abuse Act, a 1986 computer crime law that allowed his prosecutors to push for felony charges.
Then the world learned that the US government paid “grey hat” hackers for information about an iOS 9 software vulnerability, which the feds then used to access the locked iPhone that belonged to a San Bernardino terrorist. The hackers who rolled out a full PR campaign a month before they revealed the Badlock bug turned out to be over-hyping a medium-level security flaw. And the man who wants the world to think he’s the brains behind Bitcoin announced that he will demonstrate proof in London next week—but skeptical security researchers aren’t holding their breath.
But most of the news in the digital security world, as usual, happened behind the screen. Researchers showed that people who prefer the aesthetic consistency of URL shorteners are actually opening themselves up to malware attacks and online spying. Meanwhile, the web is becoming more secure (whew!), thanks the efforts of the technologists of Let’s Encrypt, who are helping tens of millions of websites switch to an HTTPS standard that will encrypt traffic between websites.
And there was more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
It’s Tax Time, But the IRS Still Sucks at Cybersecurity
IRS Chief John Koskinen admitted Tuesday that unless the agency is given permission to pay digital security professionals more than the currently approved salary rates, those much-needed experts will take jobs elsewhere. He noted that the IRS’s top cybersecurity expert recently left and that currently there are only 10 such experts employed at the agency. The IRS has already been the victim of security breaches this year, and Commissioner Koskinen is calling on Congress to authorize the IRS to pay for the expertise it needs to keep Americans’ financial data secure.
Anyone the IRS does hire to boost its security won’t be starting from scratch. Security technologist Bruce Schneier noted this week that the annual Government Accountability Office report on the state of IRS security outlines 43 recommendations for fundamental improvements to IRS security. This is a big deal because of how sensitive taxpayer data is—cybercriminals can easily use it to commit serious fraud.
But taxpayers shouldn’t only worry about the IRS’ own lax security. Ars Technica reported this week that millions of Americans have received fraudulent robocalls from scammers outside the United States claiming to be the IRS. When someone receives a call, they get routed to overseas call centers, where operators urge them to wire money under false threats of prosecution.
The President has assembled a new crew of experts from across the business, government, and academia worlds to help advise the executive branch on improving the US’ cybersecurity. The 12-member body includes General Keith Alexander, who’s the former head of the NSA; chief security officers and executives from Uber, Facebook, Microsoft, and MasterCard; as well as academics from Stanford and Georgia Tech, to name a few. Among other responsibilities, the new task force will make bold recommendations to improve digital security across the government and the private sectors, as well as ways for Americans to improve their personal privacy practices.
In a development that’s resulted in more facepalming than surprise within the cryptography community, a source tells CBS News that the FBI has found “nothing significant” in the data of the now-cracked iPhone of San Bernardino shooter Syed Rizwan Farook. According to CBS, the FBI is still analyzing the phone, which was unlocked with the assistance of contract hackers after a six-week legal dispute with Apple over the company’s refusal to help bypass its own encryption. But iPhone forensics expert Jonathan Zdziarski is skeptical: “There’s no such thing as ‘an ongoing analysis’ this long, unless you’re playing Angry Birds on Farook’s phone,” he wrote on Twitter. The anti-climax of accessing Farook’s work-issued phone was predictable: The FBI had already accessed his personal phone and an older iCloud backup, and the NSA had found no contact with terrorists in his metadata. This all suggests that the FBI’s push for Apple to help unlock the phone was about setting a precedent, not opening a single iPhone 5c.
The crypto war, it’s sometimes easy to forget, didn’t start with a locked iPhone stymying the FBI. This week, the New York Times reminded us of the crypto war’s decades-long history when it covered a recently unsealed 2003 case in which the FBI hacked into the PCs of animal rights activists to bypass their encrypted communications. The case known as Operation Trail Mix, the first of its kind, used a piece of spyware to grab either the keystrokes or decryption keys of PGP-using members of a group called Stop Huntingdon Animal Cruelty, who were attempting to stymie a New Jersey lab’s pharmaceutical testing on animals. Despite rules that the FBI must report any instance when it encounters encryption to the federal court system, it never noted the hacking incident in its annual account of its wiretaps.
As WIRED’s Brian Barrett warned back in February, don’t be one of the dummies that falls for a 4Chan prank advising iPhone users to set their phone’s clock back to January 1, 1970. Doing so, thanks to a serious bug in iOS, can permanently brick your device. Now that Apple has patched that retro clock bug, a couple of security researchers have turned that prank into a full-on attack. They used a Raspberry Pi mini-computer to create a mobile Wi-Fi hotspot with the network name “attwifi,” so that any iOS device in range that’s ever logged on at a Starbucks would automatically connect. Then that malicious network would automatically change the device’s clock date, triggering that very nasty bug in any unpatched phones or iPads. Simply walking down a city street with the hackers’ device could likely brick devices in all directions—a disturbing demonstration of the importance of keeping iOS updated.
Canadian court documents linked to the prosecution of a Montreal-based crime network revealed in a Vice investigation this week that Canadian police have an encryption key that can unlock millions of Blackberry devices. Law enforcement kept this power a secret for years. The documents came to light after a two-year trial revealed the Canadian police used the global encryption key to surveil communications intercepted from cell site simulators. Exactly how Blackberry has worked with Canadian law enforcement to provide the decryption key remains unknown, but what is clear is that the mobile communications company has deeply collaborated with law enforcement to help read customer communications in ways unbeknownst to Blackberry users.
It shouldn’t surprise anyone that the CIA is watching social media, but now we know a lot more about how it’s done and what the agency hopes to do in the future. An investigation by The Intercept into the CIA’s venture capital unit, In-Q-Tel, reveals that a number of tech companies that specialize in social media mining and data analytics receive funding from the CIA to build and research new tools for social media surveillance. One company, Dataminr, scans Twitter to help law enforcement track trending topics. Another, Geofeedia, specializes in geolocation tracking of posts during events (e.g., a protest), while other companies build tools to help analyze networks and influencers posting and organizing on social media websites. Privacy advocates warn that these technologies are helping the US government compile dossiers on people based on constitutionally protected speech. The fact that the police are using algorithms built by private companies for the purpose of labeling social media users is a serious cause for concern, advocates say.
Excerpt from –