Another week chock-full of hacks and vulns, and if you thought your password manager and cell phone were safe, you’ll want to pay close attention to the LastPass breach.
After the Sunday Times posted an unsubstantiated article quoting anonymous government sources alleging that Russia and China cracked the cache of files liberated by whistleblower Edward Snowden, security technologist Bruce Schneier came to Snowden’s defense and took it a step further, positing that they had likely already accessed the files long before Snowden did.
The Electronic Frontier Foundation released its annual “Who’s Got Your Back” privacy scorecard, and, as Andy Greenberg points out, Google didn’t do so well and WhatsApp is on the bottom of the list.
Digital espionage hit the Big Leagues in a development that’s more akin to some jerk stealing a friend’s password than an actual hack, but no matter how they did it, one thing is clear—the St. Louis Cardinals allegedly managed to access personal data about Astros players and are under FBI investigation for it.
Facebook is paying close attention to how much time we spend interacting and engaging with content, which is probably great for advertisers but also a little bit creepy.
And speaking of creepy, if the so-called “dark web” gives you the willies, Joseph Cox’s must-read op-ed cuts through the mythos and breathes some common sense and clarity into this much-maligned portion of the web.
And that’s just the beginning. Here are the hacks and security stories we didn’t cover in-depth this week, but which deserve your attention. As usual, to read the full article, click on the headlines below. And stay safe out there.
### Facial Recognition Talks Collapse
The Commerce Department's National Telecommunications and Information Administration brought together privacy advocates and industry representatives starting early last year, with the goal of developing a voluntary code of conduct for the commercial use of facial recognition technology. Unfortunately, it looks like the tech industry lobbyists didn't want to play ball, and couldn't even agree that companies should refrain from tracking and identifying people by name without their informed consent. As a result, all nine privacy advocates walked out in protest after 16 months of meetings. "We hope that our withdrawal signals the need to reevaluate the effectiveness of the multistakeholder process in developing effective rules of the road that protect consumer privacy---and that companies will support and implement," a joint statement by the privacy advocates reads.
### Be Careful Which Networks You Connect to on Your Samsung Galaxy S6
Over 600 million Samsung Galaxy S phones are susceptible to a major security risk in the phone’s default IME keyboard. The vulnerability would allow an attacker to eavesdrop on calls, read incoming and outgoing text messages, install malicious apps, and access the camera and phone. It was discovered by NowSecure mobile security researcher Ryan Welton last December and presented at the Blackhat Mobile Security Summit in London earlier this week. It’s hard to pin the blame on just one company. Samsung’s default keyboard uses SwiftKey technology to power typing features such as word predictions, and SwiftKey made the mistake of failing to use TLS encryption in the zip archive file sent during the language pack updates. This leaves users vulnerable to man-in-the-middle attacks. Samsung added fuel to the fire by giving these updates system-user-level permissions, allowing them to bypass Android’s normal protections. And although Samsung made a patch available to mobile carriers on March 27 of this year, the carriers are taking their sweet old time to push out the updates. While waiting for a patch, you can reduce their risk by avoiding public Wi-Fi or using a VPN.
### OS X and iOS Flaws Let Hackers Steal Keychain, 1Password Contents
Think you’re off the hook because you’re on an iPhone rather than a Samsung Galaxy? Not so fast. A group of researchers found flaws in the sandboxes protecting both iOS and OS X that could allow hackers to steal passwords from your keychain and the password manager 1Password. The researchers submitted malicious proof-of-concept apps to the Apple store. The apps were accepted in the store, and researchers were able to bypass sandboxing protections. 1Password has tips for users on its blog to help mitigate some of the risk while waiting for a fix. “In light of the vulnerabilities, users of all OSes should limit the apps they install to those that are truly needed and explicitly trusted,” wrote Ars Technica Security Editor Dan Goodin.
### Congressional Staff Get Ensnared in OPM Hack
Congressional staffers’ fears were confirmed late Tuesday, when they got word that their sensitive personal information was likely compromised in the Office of Personnel Management data breach. Although the breach was originally thought to affect 4.2 million federal employees in the executive branch, the second breach discovered raised expectations to 14 million people. “It now appears likely that the service records of current House employees employed previously by ANY federal government entity (including the House, if an individual left the House and later returned to a House position) may have been compromised,” House chief administrative officer Ed Cassidy told the Hill web site in an email. Retirement records of federal agency employees are forwarded to the OPM, and it’s possible that both active and inactive security clearance background investigation files were exposed.
### Encryption is a Fundamental Human Right, Says U.N.
In a heartening moment for privacy advocates, U.N. Special Rapporteur on freedom of opinion and expression David Kaye presented a report at the United Nations Human Rights Council in Geneva on Wednesday. He emphasized the importance of strong encryption and anonymity internationally, and advocated against restrictions on anonymity and encryption, backdoors, key escrows, and weak encryption standards.
### Warrants for Stingrays and Drones?
The Protecting Individuals from Mass Aerial Surveillance Act was introduced into the Senate this past Wednesday. The bill would require federal agencies to (gasp!) get a warrant before conducting aerial surveillance, thus preserving some semblance of Fourth amendment rights. The bill only applies to federal agencies, not states, and does not include areas within 25 miles of the border.
### Uber to Drivers in China: We'll Know If You Attend a Taxi Protest
Anyone who still believed that Uber’s GPS tracking is innocuous can put an end to that notion. The ride-sharing service has forbidden drivers from participating in taxi protests in Hangzhou, and threatened to cancel contracts with those who do. “We firmly oppose any form of gathering or protest, and we encourage a more rational form of communication for solving problems,” an Uber spokeswoman told Quartz. The fact that the company uses geo-tracking to monitor its drivers to assure that they avoid protests is particularly disturbing.
### Terrible News for Free Speech in the E.U.
The European Court of Human Rights determined that Estonian news site Delfi can be held liable for anonymous comments posted on the site---even if the comments are removed when requested. The decision, which stems from a 2006 article published about the ferry company SLK, brings a nine-year legal battle to a close. The article in question led to threatening and defamatory comments, posted anonymously, directed at SLK and its owner. The decision could have negative repercussions to free speech online.
