This week, most major security news connected to the Paris terrorist attacks, which government officials eagerly used as an opportunity to renew their assault on encryption. After the attacks, it's likely that encryption will be a key issue in the 2016 election. Although it turns out that the Paris attackers did not encrypt their communications at least part of the time, a look at an OPSEC manual used by ISIS gave the world insight into the terror group's security protocols. Meanwhile, the startup Zerodium broke with tradition and published a price chart for zero-day attacks, and Carnegie Mellon denied getting paid for turning its Tor-breaking method over to the FBI—though it likely handed over the information after getting subpoenaed. We also took a look at what Quantico gets wrong about hacking (spoiler: everything), and showed you how to enable two-factor authentication for your Amazon account.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
When the NSA's mass surveillance of American citizens' emails was revealed in 2013, the government said that the program had already ended in December 2011. Newly disclosed documents obtained by the New York Times through a lawsuit under the Freedom of Information Act show that's not entirely the case. It turns out that a November 2010 rule change allowed the NSA to sweep up American’s bulk metadata found on fiber optic cables abroad, meaning it could shift surveillance a functional equivalent overseas. The agency could then collect the metadata in bulk without having to obtain it from US telecoms, and without as much pesky FISA oversight. In addition, warrantless surveillance targeting emails sent to or from Americans to non-citizens abroad is permissible under the FISA Amendments Act of 2008.
The Manhattan District Attorney’s office has issued a new report on smartphone encryption and public safety, which calls for Congress to pass a law requiring smartphone and tablet operating system designers “to ensure that data on its devices is accessible pursuant to a search warrant.” This, of course, would require government backdoors, which would weaken the security of devices and make communications vulnerable to theft and hacking. But it's unlikely—at least so far—that this will happen. Despite some lawmakers and state and local officials calling on Congress to pass legislation to weaken encrypted communications, Obama administration officials have stated there are no plans to draft this type of legislation.
In wake of the Paris attacks, the hacker collective Anonymous has promised to intensify its campaign against ISIS with its #OpParis campaign. It released a list of more than 1,000 Twitter accounts it says the terror group is using to spread propaganda. This isn’t the first time Anonymous has gone after ISIS. It launched #OpISIS following the assault on the Charlie Hebdo headquarters, and claimed credit for shutting down websites and exposing email addresses and Twitter accounts associated with ISIS, arguably harming its communication channels and propaganda campaigns. But some critics say that this campaign could disrupt intelligence gathering in ongoing law enforcement investigations. In contrast, the Ghost Security Group (previously GhostSec) has been providing data it collects on attack plots and recruitment efforts to government counter-terrorism officials in addition to flagging Twitter accounts and videos, shutting down propaganda sites, and even infiltrating jihadi forums and gathering information on locations and IP addresses.
During an FCC oversight hearing, US Representative Joe Barton said that the best way to counter terrorism in the wake of the Paris attacks is to shut down websites used by groups like ISIS, including social media networks. This might make sense if there were sites and social media networks used solely by terrorists, but in the real world? Not so much. Next up: proposals to ban highways used by terrorists, or shut down electricity. As ridiculous as this all sounds to us, it’s worth noting that the Department of Homeland Security has yet to share details on its “Standard Operating Procedure 303,” approved in 2006. Some speculate that it's an internet kill switch the government can use to shut down mobile communications during an emergency.
In related news, authorities in Dhaka, Bangladesh have blocked access to Facebook, WhatsApp, Viber, and other online messaging services countrywide. For several hours last Wednesday, the government shut down internet access in the country entirely. Internet shutdowns are often a precursor to other human rights violations.
Those of you who think Blackberry’s products are more secure than its competitors may want to pay attention: When speaking at the FedTalks government IT summit, Blackberry’s Chief Operating Officer Marty Beard said that the company believes in a “balanced” approach to encryption, and prioritizes cooperation with law enforcement. Translation: Blackberry is totally cool with building government backdoors, in spite of it weakening the security of all communications. Doesn’t sound very balanced to us.
The teenage hackers who breached CIA director John Brennan’s personal email have now published a list of 1,500 government employee names, phone numbers, and email addresses—perhaps from their original breach. Although Motherboard wasn’t able to verify all of the names and details on the list, it reports that some of them seem legitimate.
Researchers at the security firm iPower found that multiple police cameras manufactured by Martel Electronics were shipped to them preloaded with the Win32/Conficker.B!inf worm. Conficker is a persistent worm first detected in 2008. It has infected millions of computers since, though it's unclear what its purpose is. According to iPower, Martel Electronics has yet to officially acknowledge the vulnerability.
Starwood Hotels & Resorts says that some of its hotels’ restaurant and gift shop payment systems were hit with malware. The company says 54 of its properties in North America were affected, and that payment card information was the target. So far, though, there's no indication that other sensitive information, like Social Security numbers and PINs, was compromised.
Hospital equipment isn’t exactly known for its cybersecurity, and now, a new report released by technology and market research company Forrester Research predicts that ransomware for medical devices or wearables will be a reality in 2016. We haven’t seen ransomware on medical devices yet, but it has has been used on computers to extort payment, typically in Bitcoin, from users in order to decrypt their communications, and internet-connected medical devices are in many cases notably insecure.
