Source: WIRED Original Author: Yael Garuer Post Date: June 27, 2015 Link in WIRED: Security News This Week: Google Says Goodbye to Revenge Porn, Hello to Eavesdropping
Quote:
Of all the security news this week, Facebook’s ability to identify individuals who aren’t even showing their face is perhaps the most disturbing. If you thought turning away from the camera in a photograph meant that you could escape from Facebook’s steely gaze, you’re in for a big surprise. It may well be able to recognize you even if you put a paper bag over your head.
And make sure to add a $300 spy bug that fits inside a pita to your list of threats, lest your encryption keys get stolen with radio waves originating from your processor. Another not-so-comforting thought: the protocol used to transmit flight plans lacks authentication, so basically all airlines have the same security holes that grounded more than 10 planes on June 20.
Wikileaks released a scandalous collection of classified NSA files revealing that the US has been spying on French presidents for three administrations. The site relaunched its anonymous submission system last month, and is crowdsourcing donations and offering cash rewards to leakers of specific documents, so it looks like Wikileaks is just getting (re)started.
Shocker: NSA and GCHQ were engaged in a prolonged and systematic campaign to target Kaspersky and other antivirus and security firms to subvert their software. Hundreds of .gov passwords have been found in public hacker data dumps, so hopefully those very same passwords weren’t reused on personal accounts. If you’re not using two-factor authentication already, now’s a good time to start. Turns out the government implemented its secret zero-day policy starting in February, 2010.
Kim Zetter took a deep dive into the Wassenaar Arrangement, a proposed set of export rules that are intended to restrict surveillance tool sales to oppressive regimes, but are written so vaguely and broadly that they could criminalize legitimate security tools and make it difficult for security researchers to do their jobs.
And there’s more. Here are the security vulnerabilities and privacy updates that we didn’t cover in-depth this week, but which deserve your attention nonetheless. As always, click on the headlines to read the full story linked in each summarized post below. And be safe out there!
Revenge Porn Will be a Little Harder to Find, Thanks to Google
Google may not have the power to rid the world of revenge porn altogether, but it’ll be taking an important step to at least make it a little bit harder to find. Senior Vice President Amit Singhal announced in a blog post that the search engine powerhouse will begin removing nude or sexually explicit images shared without the subject’s consent from search listings. It plans to roll out a web form to allow users to submit requests for the de-indexing of these images.
Chromium, Google Chrome’s Open Source Counterpart, Was Installing a Closed-Source Voice Extension
Chromium, the open-source version of Google’s Chrome browser, was caught sneakily installing Chrome Hotword, an extension with eavesdropping capabilities. Although it was turned off by default, open-source advocates were reasonably upset that it was automatically downloaded, that the download and program’s existence were both hidden, and that the extension was installed with no source code, violating the spirit of open source software. Google developers announced Tuesday that builds of Chromium 45 would not download the module by default. Chrome users can enable the hotword module–or make sure it’s turned off–by clicking on the microphone next to the search bar on Google.com.
Yet Another Adobe Flash Zero-Day
Security vulnerabilities flock to Adobe Flash Player like bees to honey, so it’s hardly a surprise that many Windows, Mac, and Linux users who haven’t managed to wean themselves off of this outdated, buggy software have yet another new patch to install. This one fixes a vulnerability that the company stated “could potentially allow an attacker to take control of the affected system,” and is “being actively exploited in the wild via limited, targeted attacks.” According to a Singapore-based FireEye security research team, users were targeted by China-Based group APT3 (also known as UPS), which sent phishing emails with offers for refurbished iMacs.
Corrupt DEA Agent Who Investigated Silk Road Pleads Guilty
What fun is drug enforcement without some good old-fashioned extortion and money laundering thrown in? While investigating the Silk Road drug trafficking site, DEA agent Carl Force stole hundreds of thousands of dollars in bitcoin, and court papers indicate that Force will formally enter a guilty plea on July 1. Secret Service agent Shaun Bridges agreed to plead guilty last week for a similar but entirely separate scam. Ulbricht’s lawyer has argued that his client did not receive a fair trial because he was not allowed to discuss these agents during his trial due to an ongoing corruption investigation.
UK Likely Complicit in US Drone Strikes, GCHQ Documents Indicate
British intelligence agency GCHQ may have helped the NSA coordinate drone strikes outside of recognized war zones, including a 2012 Yemen drone strike, according to classified GCHQ documents provided to the Guardian by whistleblower Edward Snowden. The documents further indicate that the UK was working to build location-tracking capabilities in Pakistan.
Another Software Company Flees the UK Due to Surveillance Concerns
The open-source blogging platform Ghost has decided to move the default location for its customer data from the UK to Amsterdam due to the newly elected government’s pledge to scrap the Human Rights Act, a move that would weaken protections for privacy and freedom of expression. Two other companies, Ind.ie and Eris Industries, both left the UK in May due to concerns about mandated crypto backdoors in the Snooper’s Charter, which could be reintroduced in the next parliament.
Give Snowden a Fair Trial, Council of Europe Presses
Europe’s leading human rights organization has called on the US to allow NSA whistleblower Ed Snowden to receive a fair trial—one in which he would be permitted to present a “public interest defense.” Snowden has been charged under the Espionage Act, which has no public interest exception. As Freedom of the Press Foundation executive director Trevor Timm has explained, if he faced trial in the US under the Espionage Act, the intention behind his leaks, their value to the public, and the lack of harm caused by them would likely be inadmissible in court until sentencing.