Niantic
The game Pokémon Go is extraordinarily popular, with one extraordinarily unpopular drawback: Its iOS app has demanded full access to all of your Google account information. That means it could have potentially been able to “see and modify nearly all information in your Google Account,” according to Google, short of changing your password or tapping into Google Wallet. This is very bad! And now you can fix it.
The app’s first update, available now in the App Store, remedies some log-in issues and works to minimize crashes, all typical early update stuff. It also, though, according to game developer Niantic’s release notes, “Fixed Google account scope.” That’s a bit of an understatement. Now, instead of potentially tapping into everything you do on Google, it can access only your Google User ID and email address.
For the change to go into effect, you’ll need to download the update, sign out, and sign back in. You should see a new, much more limited permission request screen. If you signed up with a Pokémon Trainer Club account instead, or on Android, proceed with your regularly scheduled Poké Stops.
Niantic had previously characterized the overreach as “erroneous,” and assured people that it had only accessed User IDs and email addresses despite its broader mandate. Today’s patch is a quick fix to a problem that never should have existed in the first place. Even if you trust Niantic with that much sensitive information—and there’s no reason you should—any service that can tap into that kind of wellspring becomes an immediate target for hackers.
So did you update yet? Good. You’ve successfully defended your Google account. Now go find a gym and do the same.
Twitter wants you to know that it is just as horrified as you are about the tweets on its platform promoting terrorism—and that, yes, the company is trying to combat it.
In recent months, Twitter has come under fire as ISIS propagandists used the platform to promote their cause and recruit would-be militants. While Facebook has taken a blunt approach toward removing any and all posts that have even a whiff of terrorism, Twitter has sought to strike a balance between protecting free speech and cracking down on people who use Twitter as a way to promote violence or threats. In some cases, after all, one person’s political speech is another’s call for terrorism.
The company said in a post today that it continues to work to crack down on violent extremism on its platform. It has suspended more than 125,000 terrorist-related accounts, primarily accounts associated with ISIS, since the middle of last year and has added more people to the teams that review reports of terrorist propaganda in an effort to make speedier decisions about whether to remove it. Twitter says it’s used “proprietary spam-fighting tools” to find similar accounts and has worked with the FBI and other organizations.
The impetus behind Twitter’s post seems to be a need to let the world know that it’s doing something. Politicians like Hillary Clinton have emphasized that the US needs Silicon Valley’s help in defeating ISIS as social media tools become crucial to how groups gain support and disseminate information. People complain readily (and rightfully) about Twitter’s failure to find a real solution to harassment on its platform. It doesn’t want to find itself in the same place when it comes to terrorism.
A publicly available database containing the personal information of 191 million US voters has been sitting, exposed, in a publicly accessible corner of the Internet, according to security researchers.
The database, which was first uncovered by independent security researcher Chris Vickery and reported today by DataBreaches.net, includes the names, home and email addresses, voter IDs, dates of birth, party affiliations, and voting histories of millions of registered American voters since 2000. Fortunately, it does not expose the voters’ Social Security numbers, driver’s license numbers, or sensitive financial information.
While 191 million records sounds pretty alarming, it’s worth noting that voter registration lists are usually a matter of public record—though many states enforce regulations to control access to the information. Some states charge expensive fees, for instance, for access to such data. South Dakota, as noted by DataBreaches.net, explicitly requires those looking to acquire voter data to sign a statement confirming their understanding that the database “may not be used or sold for any commercial purpose” and “may not be placed for unrestricted access on the Internet.”
Still, this type of data can be extremely valuable, especially to those running campaigns. For one, the information in such databases might be used for targeted mailings.
That’s the reason third-party vendors hawking vast chunks of voter data exist—which is the suspected source of the breach in this case, as well. Both Vickery and Steve Ragan, a security blogger for the risk management website CSO, who also investigated the data, say the style and formatting of the data set point to a vendor called Nation Builder. The company, for its part, says that the IP address where the files were posted did not belong to it or any of its clients.
More likely, the researchers say, the poor configuration of the data set could be an indicator that a customer purchased information then sloppily threw it online without the right security protocols in place.
OK, but should you be panicking? Not quite. As mentioned, a lot of voter information is public record. As much as anything, it’s just weird that this much valuable data was sitting on the Web for so long, unchecked and undiscovered. That said, restrictions around voter data exist for a reason, if only to temper the likelihood of getting more junk mail.
In 2012, Google began notifying its users if it believed those people’s accounts or computers were at risk of a state-sponsored attack. Three years later, Facebook has now followed suit, the latest in a string of security-conscious measures the social network has recently enacted.
Facebook Chief Security Officer Alex Stamos announced the latest protection in a post on the site. “While we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored,” Stamos wrote. “We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts.”
Those steps range from turning on Login Approvals (Facebook’s version of two-factor authentication) to avoid being compromised in the first place to replacing their computers altogether, in the event of a confirmed attack. Stamos also clarified that Facebook will only use this warning “where the evidence strongly supports” a state-sponsored attack. Basically, if you see the message below, you have cause for serious concern.
Facebook may be a few years behind Google, but it’s to date the only other major company to offer that level of alert. The move also joins other significant steps Facebook has taken to ensure user privacy and security. In June, it offered the option to share public encryption keys, to keep email notifications between the site and its users encrypted (though intra-network messages remain unencrypted). A year ago, Facebook launched a “dark web” version of itself on Tor, an important extra layer of encryption and privacy for those trying to avoid surveillance.
There’s always more that could be done. But every layer of protection is important, and Facebook continues to demonstrate its willingness to add more and more.
When the German activist group Intelexit launched a campaign last week to persuade employees of surveillance agencies like the NSA to resign, their tactics started with billboards, online video and sidewalk canvassing. Now they’ve taken their campaign in a more aggressive direction: up into the NSA’s airspace.
On Monday, supporters of the Intelexit group, an offshoot of the Berlin-based activist collective Peng, launched a winged drone over the Dagger Complex, a U.S. military base in Darmstadt, Germany that also houses an NSA outpost known as the European Cryptologic Center. The drone, which the group tells WIRED is a Skywalker x8 remote-controlled hobbyist plane, rained down leaflets over the complex asking NSA employees if they’re “ready to exit?” and listing ethical reasons to quit the intelligence services. The stunt is captured in the video above, complete with a comically heroic NSA-battling score.
“It is very hard to reach the people working in secret services since they are so cloistered off from the rest of society,” says Ariel Fischer, a pseudonymous spokesperson for the group. “This is a really innovative way to reach out to them…It also shows employees that Intelexit is serious about helping them.”
The legality of their pamphlet drop is questionable: At least some German states prohibit flying drones over military bases. The NSA didn’t respond to WIRED’s request for comment about the anti-surveillance group’s drone launch.
Fischer adds that the campaign, which included a video featuring NSA whistleblower Thomas Drake and cryptography guru Bruce Schneier, has been an “immense success” so far. She said that the group has already been contacted by both current and former intelligence workers supportive of their cause, though she declined to say how many. If Intelexit continues its increasingly flashy exploits, it will at least have the intelligence agency’s attention.
Platon
Since his world-shaking collection of NSA leaks first dropped, Edward Snowden has been one of the most important journalistic sources in history and an elusive, occasional interview subject. Now he’s finally speaking for himself.
Can you hear me now?
— Edward Snowden (@Snowden) September 29, 2015
The former NSA contractor and defector joined Twitter Tuesday with the introductory message above. He described himself on his (Twitter-verified) page this way: “I used to work for the government. Now I work for the public.” His profile uses the Platon portrait shot for WIRED’s 2014 cover story, and also offers a shout out to the Freedom of the Press Foundation, the whistleblower-friendly civil liberties group where he serves on the board of directors.
In just the first 30 minutes following his initial tweet, more than 70,000 people had already followed him. As for @Snowden himself, he’s only following one other feed so far: the NSA’s. Stay tuned for some interesting tweet feuds.
The news of government mass surveillance keeps coming, as two more stories reveal that spy agencies in the US and the UK plotted to record the browsing habits of every internet user.
First up is a story from The Intercept about Karma Police, a seven-year-old program launched by the British spy agency GCHQ designed to catalog visits to porn sites, social media and news sites, as well as activity on search engines, chat forums, and blogs. As previously reported, GCHQ has tapped more than 200 undersea cables as part of its spying partnership with the NSA, siphoning gigabytes of data each day. Karma Police describes how some of that data is used to build a profile of a users’ web browsing and search engine histories, Skype calls, and other communications via email, instant messaging and text. The Intercept notes that the surveillance isn’t targeted but instead indiscriminately tracks the activity of many users to uncover patterns and relationships.
In the US, the war over encryption backdoors continues with a new government memo obtained by the Washington Post, which shows that a taskforce explored four possible ways the government might deal with the encryption standoff between law enforcement and spy agencies on the one hand and technology companies and the public on the other.
Among the most controversial options discussed? Exploiting the automatic software updates vendors push out to customers. Under a court order, a company could be compelled to embed spyware in an update to infect a targeted customer’s phone or tablet. The memo warned, however, that this tactic could backfire by calling into question “the trustworthiness of established software update channels,” which could lead customers to opt out of updates, leaving their devices less secure and open to attacks from other sectors. Ironically, that’s exactly the criticism that arose in the security community in 2012 when researchers discovered that Flame, a nation-state spy tool believed to have been developed by the US and Israel, subverted the Microsoft Windows Update system to install itself on targeted machines. Sources told the Washington Post that while the software update option and others were considered by the task force, the government has no plans to pursue them.
Edward Snowden opened the world’s eyes to mass surveillance being conducted by the US intelligence agency and its partners in the UK and elsewhere. Now a new treaty, developed by international legal experts, is asking nations around the world to take a stance on mass surveillance.
The so-called Snowden Treaty asks countries to become signatories to the treaty that requires them to enact local laws against mass surveillance and uphold the right to privacy, establish independent oversight to ensure public transparency and accountability and establish international protections for whistleblowers, obliging them to guarantee the right of residence either inside their borders or in their embassy to people claiming to be persecuted as whistleblowers.
The language of the treaty was developed by experts in international law and Internet freedoms and surveillance at the Electronic Frontiers Federation, with input from journalist Glenn Greenwald and others. The group said they will not be releasing the actual treaty document today, as it’s still being refined and they’ve given it to several governments like Brazil, Germany and Iceland for review, but they did distribute a summary (.pdf).
You can watch a livestream of the press event announcing the treaty and discussing the details here:
Congratulations @libraryfreedom, @torproject, @ACLU_NH, and the Lebanon, NH community for choosing freedom over fear! http://t.co/ungQeUzETv
— ACLU Massachusetts (@ACLU_Mass) September 16, 2015
A library in Lebanon, New Hampshire was the first in the country to provide a particular privacy service to patrons near and far: it enabled a Tor relay node that anyone could use to mask their geographical locations from prying eyes. But the government didn’t like that so much, and Homeland Security issued a warning to the library that Tor could be used by criminals.
In response, the library shut down its Tor program. The outcry from privacy advocates was swift. People pointed out all the many non-nefarious reasons a person might want or need the protection that Tor anonymity provides, among them protection from stalkers, spies, or oppressive governments.
Then last night the library board showed it would not be cowed. After a crowded open meeting, the Valley News reports that the library voted to reinstate the node.
“It came to me that I could vote in favor of the good … or I could vote against the bad,” library board Chairman Francis Oscadal reportedly said.
The motto of New Hampshire is “Live free or die,” after all.
Tor Project Statement on #KiltonLibrary decision
(now in more readable colors) pic.twitter.com/G4vIsQJfCZ
— torproject (@torproject) September 16, 2015
You just know in your bones that the NSA spied on you and shared that data with Britain’s GCHQ spy agency, right? So how can you confirm this? Through a new online tool offered by the British civil liberties group Privacy International.
Thanks to a legal victory Privacy International obtained earlier this year, the UK’s Investigatory Powers Tribunal is now required to search through data the GCHQ obtained from the NSA for information collected on anyone in the world if that person so requests it. If you request the info and the Tribunal finds something, it must let you know. The catch is you have to make the request before December 5, 2015. Privacy International has made this easy with its “Did GCHQ Illegally Spy on You?” online tool.
Earlier this year the Investigatory Powers Tribunal in the UK ruled that British intelligence services acted unlawfully when they accessed the private communications of millions of people that had been collected by the NSA under its mass-surveillance programs known as PRISM and Upstream and shared with the British spy agency. The PRISM program, which began in 2007, allowed the NSA to collect data in bulk from U.S. companies like Yahoo and Google. The Upstream program involved the collection of data from taps placed on hundreds of undersea cables outside the U.S.
The Tribunal will only search for records shared between the NSA and GCHQ prior to December 2014. And, unfortunately, it won’t reveal if the GCHQ obtained data about you on its own and/or shared it with the NSA, or if the NSA spied on you and didn’t share that data with GCHQ. The amount of data the Tribunal will search may also be limited.
“Once a claim is filed, the IPT will usually only search GCHQ’s records for unlawful activity during the year before the claim was submitted,” Privacy International notes. “What this means is that a claim submitted on 14 September 2015 would lead to records being searched for the time period between 14 September 2014 and 5 December 2014.”
There’s one other caveat about the request. The Tribunal can only search its data for information about you if you submit details such as your name, email address and phone number. Of course in submitting your email address and phone number, you’re potentially providing the British government with information it doesn’t already have about you. But, as Privacy International points out in its FAQ about the tool, there’s no way around this.
The good news is that if the tribunal does find information collected about you, GCHQ must delete that data once the investigation into your records is done, along with the request form you submitted.
Jeb 2016
Jeb Bush has been cozying up to Silicon Valley this election season, but his newly announced cybersecurity platform isn’t likely to win him many fans within the tech industry. In a lengthy post detailing his plans today, the former governor advocated for increased government surveillance, writing, “The National Security Agency and Cyber Command are on the front lines of defending the United States against cyberthreats. We must stop demonizing these quiet intelligence professionals and start giving them the tools they need.” But Bush is light on details as to what those tools would be.
Insert much gnashing of teeth by American tech companies and privacy advocates here.
In the post-Edward Snowden era, tech giants like Apple and Microsoft have become increasingly vocal about the need to protect user data from the prying eyes of the government. Meanwhile, privacy experts have panned proposed legislation like the CISA Security Bill, insisting that it creates too many surveillance loopholes for the government. Bush, on the other hand, argues in his new proposal that the President should push Senate Democrats who oppose the bill “to allow this bill to come to the Senate floor for a vote.”
Bush is likely all too aware of the reaction these suggestions might receive from the tech world. That may explain why he also included a promise that seems out of place in a plan about cybersecurity: to “remove barriers to innovation in the tech industry.” This appears to be Bush’s way of softening the blow from the rest of his platform.
Bush is far from alone in this approach to cybersecurity. During last month’s Republican debates, former HP CEO Carly Fiorina emphasized the importance of tearing down the so-called “cyberwalls” that tech companies put up to protect themselves from government requests for data. And new Jersey governor Chris Christie and Florida Senator Marco Rubio have also called for increased intelligence capabilities.
For privacy concerned technologists in search of a conservative candidate, at least there’s always Rand Paul.
Brian Finke
Update: 9:19 am ET 09/09/2015 Several hours after this story was published, John McAfee filed paperwork with the Federal Election Commission to run for President. He also launched an official campaign website.
If you didn’t think the 2016 election season could get any more batshit crazy than it already is, now, John McAfee—the self-described “eccentric millionaire,” who founded the anti-virus software company McAfee, and who once played Russian roulette with a loaded gun while WIRED writer Joshua Davis stood by—says he is considering joining the 2016 presidential race. But first, he says he’s hoping to persuade someone who is “smarter and more charismatic” than he is to run with his backing.
“I personally am still in a quandary about whether to run myself or find someone else for my party,” McAfee tells WIRED. “My advisors are pressing me to run.”
McAfee, who won’t name his advisors or his prospects for stand-ins, says he’s been mulling a run for some time at the urging of his online followers. “I have many thousands of emails saying please run for President,” he says. “It’s not something I would just choose to do on my own.”
But McAfee says he does believe the government is broken, largely because its leaders don’t understand technology as well as, well, he does. He points to the recent hacks of the U.S. Office of Personnel Management and Homeland Security as proof.
“Things like this cannot happen or should not happen,” he says. “It’s clear that the leadership of our country is illiterate on the fundamental technology that supports everything in life for us now, that is cyber science, our smartphones, our military hardware, our communications.”
McAfee argues that the fact that the government is urging tech companies like Apple to create so-called “backdoors” into their systems that would allow the government to collect information on users is another sign that public servants just don’t get it. “That means allowing hackers easy access to anybody’s data,” he says.
The prospect of a President John McAfee may sound absurd to you. If it doesn’t, please recall that McAfee was once arrested in Guatemala after fleeing Belize, where he was wanted for questioning by local police for the murder of his neighbor. No charges were brought against him in the murder case, but McAfee’s backstory is still a tad colorful for politics, even in the age of Trump.
Yet the privacy arguments he’s making aren’t altogether unlike the ones that Apple and other tech companies have been lobbying for in Congress.
Like Lawrence Lessig, the Harvard professor who is running for president to push an agenda for campaign finance reform, McAfee seems far more concerned with having his voice heard on one particular issue than with taking a seat in the Oval Office.
Which may explain why McAfee is seeking a stand-in for his presidential run. He also said he didn’t want to discuss other elements of his platform until he, er, knows whether he or someone else is going to be candidate. That announcement should come within the next 48 hours, according to McAfee. As for whether Donald Trump’s surprising popularity had anything to do with his presidential ambitions, McAfee said, “I have great respect for the man but he has nothing to do with my decision to run.”
The NSA was sloppy about guarding its classified secrets from Edward Snowden, but no one at the agency is in danger of being prosecuted for that security lapse. What Hillary Clinton did with her private email server, however, is criminal, says Snowden.
If any other State Department or CIA employee were using a private email server to send details about the security of embassies, as Clinton is rumored to have done, as well as sensitive meetings with private US government officials and foreign officials over unclassified email systems, “they would not only lose their jobs and lose their clearance, they would very likely face prosecution for it,” the NSA whistleblower said in an interview with Al Jazeera English.
“When the unclassified systems of the United States government, which has a full-time information security staff, regularly gets hacked, the idea that someone keeping a private server in the renovated bathroom of a server farm in Colorado, is more secure is completely ridiculous,” Snowden said, referring to the location of Clinton’s controversial email server, which had been maintained by the Denver-based company Platte River Networks, and to Clinton’s initial assertions that her server was secure and had suffered no security breaches.
Snowden is right about the punishment others would face for mishandling classified information. There have been a smattering of such prosecutions over the last decade, generally involving low-to-mid-level military and government personnel. Former CIA Director General David H. Petraeus is one of the most prominent to be caught up in a case involving the mishandling of classified information. He was charged with mishandling classified materials after an investigation revealed that he had improperly removed and stored top-secret information in eight personal notebooks that he kept in an unlocked drawer in his home study while CIA Director. The information in the notebooks included code words for secret intelligence programs, the identities of covert officers, and notes about discussions with the National Security Council. He eventually pleaded guilty to a misdemeanor charge of mishandling classified materials and was fined $100,000.
It’s been a month since news first broke that cheating site Ashley Madison was hacked. During that time Noel Biderman, CEO of the site’s parent company Avid Life Media, has remained confident in his company’s strength and endurance.
After Biderman refused to bend to the hackers’ demand to take Ashley Madison and another site offline, the perpetrators began to leak data stolen from the company’s networks. At first, the data was only about Ashley Madison’s spouse-cheating customers, but last week, private emails from Biderman’s corporate account hit the web. Today, following stories that Biderman may have engaged in a number of extramarital affairs, as revealed in those emails—ALM announced that Biderman is stepping down as head of the company.
“Effective today, Noel Biderman, in mutual agreement with the company, is stepping down as Chief Executive Officer of Avid Life Media Inc, (ALM) and is no longer with the company,” the company said in a statement. “This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees. We are steadfast in our commitment to our customer base.”
The statement didn’t indicate the sudden reason for Biderman’s departure, but it comes days after revelations of Biderman’s alleged infidelities.
Biderman founded the site, whose motto is “Life is short. Have an affair,” in 2001 and often referred to himself as the King of Infidelity. But despite encouraging other people to have affairs, Biderman, a married father with two young children, had long insisted that he had never cheated on his wife, nor did he want to.
“If I wanted to have an affair I would have one,” he told the New York Daily News last year.
But it turns out that Biderman may have been lying. At the time of that interview, the leaked emails suggest he may have already been engaging in a three-year sexual relationship with a Toronto escort who may have been paid for her favors.
Biderman apparently met the woman in 2012 at a spa. She emailed him in July 2012 identifying herself as “Melisa from the spa” and suggested they meet for coffee. Emails between them over the next two years depict a number of assignations at hotels.
The emails show it was the escort, who appears to have been a student at the time, finally broke off their arrangement in September 2014 after she became concerned that her boyfriend might find out.
“He’s very intuitive and almost found out last time,” the woman wrote Biderman in a September 2014 email leaked by the hackers. “I’m sorry. I don’t want to lose him. As much as I need the money. I talked to him this morning and my sense of guilt made me imagine that he knows.”
Biderman appears to have offered her a job with the company, writing her in October that “I will also have a good ‘signing bonus’ for you :).” The woman later declined the job, however.
The leaked emails also show Biderman discussing meetings with other women, including one identified as Mila who gave Biderman a phone number that matched a profile on TheEroticReview.com web site for an escort named Mila.
WIRED was unable to determine if the specific emails suggesting infidelity are legitimate, but they were released with other files that have been verified.
It’s not clear why Biderman would engage so boldly in revealing conversations through his work email account—instead of using a private account. Any system administrator working for the company would have been able to access his emails and view the conversations.
Authors’ note as of 8/25/2015 at 11:40 a.m. ET: One of the sites linked to in this post—Trustify—is embroiled in controversy surrounding how it has been contacting people whose emails are found in the Ashley Madison data dump, as well as how it encourages those people to then pay for its P.I. services. Rather than go into that here in this How To, we have detailed the entire debacle in a separate article that we encourage you to read.
Wait. Stop. Don’t do this. Don’t check these websites1.
Let’s just all take a deep breath and reflect on what has become of us, as a people. A website was created so that married people could easily cheat on each other, and then a reported 40 million people signed up, and then angry hackers stole their data and released it to the world out of righteous vengeance. And now the moral crowd gathers to shame and condemn. To point fingers. To search for spouse’s emails with breath clenched tight. This is the sad state of modern affairs (OK, yes, pun intended). This is the quiet desperation of the masses. This is the pathetic morass of our culture.
We should not play along. We should get off the ride. We should not search this database for our loved ones. We should take our kids to the water park. We should close our computers and walk out into the sunshine of late summer and feel the heat of our glorious life-sustaining superstar on our cheeks.
But if you’re not going to do that, you can search through the data dumped last night by the hackers who hit Ashley Madison by visiting this site, which was launched yesterday by Trustify, an Internet investigation service that tailors to romantic suspicions. Or, if you prefer, you could use this tool. Or this one. All you have to do is enter an email, any email, and see if it was hacked. Finding the email on the list means yes, there was an Ashley Madison account tied to it. But, crucially, Ashley Madison never required email accounts to be verified, so if you find someone’s email here it does not necessarily mean they set up an account for themselves. If you are already a subscriber to “have i been pwned,” a site that alerts people if they have been breached, and you are able to verify the email address you are checking, then that site can also tell you.2
“We are getting about one customer search person second since this morning [via the app],” says Trustify’s Danny Boice. Boice said regardless of what comes up, many of these customers end up booking a Trustify private investigator. “We are getting an even number of men who were using Ashley Madison coming to us to do damage assessment as we are spouses who suspect they are being cheated on.”
When asked about the possibility of doubting significant others checking up on their companions using Trustify’s new tool, Boice says “Trustify is in the business of finding the truth. We do this in an objective and un-biased way. We don’t intervene in how or why people want the truth or answers, we simply use our investigative pool to provide them.”
We checked a few emails we knew were among the stolen, and they came up using every tool linked above, so they appear to be legit.
But again, maybe don’t check. No good can come of this.
1Updated on 8/19/2015 at 3:04 p.m. to Add additional sites that are offering the same service.
2 Updated on 8/19/2015 at 4:45 p.m. to clarify that only subscribers with verified email addresses can search the data on “have i been pwned.”
It’s one thing to talk about security vulnerabilities in a product, but another to provide a proof-of-concept demonstration showing the device being hacked.
That’s what occurred last month when BlackBerry Chief Security Officer David Kleidermacher and security professional Graham Murphy showed how easy it is for hackers to take control of a hospital drug infusion pump by overwriting the device’s firmware with malicious software.
The hack would allow someone to remotely administer a fatal drug dose to patients.
Although the video demonstration, conducted at the Blackberry Security Summit in New York, doesn’t identify the model and brand of the pump being attack, security researcher Billy Rios says it’s the Lifecare PCA drug infusion pump made by Hospira, an Illinois-based firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.
Rios knows this because the demonstration is using vulnerabilities he uncovered in several models of drug infusion pumps made by Hospira—the PCA, PCA3, PCA5, Symbiq, Plum A+, and the Plum A+3.
As previously reported by WIRED, those security problems would allow attackers to raise the software-defined upper limit on the dosage delivered to a patient before then administering a deadly dose.
Although the FDA issued an alert about the PCA3 and PCA 5 pumps earlier this year, it declined to warn hospitals about the other models. And it’s unclear if hospitals have heeded the warning about any of the unsecured devices.
You don’t need to be a Wall Street insider to pull off insider trading anymore. Today, nine traders and hackers allegedly involved in an insider trading scheme were indicted for stealing advance copies of press releases, according to a Justice Department announcement.
The group is accused of hacking into the networks of Marketwired, PR Newswire Association and Business Wire to access copies of press releases that had not yet been published. The traders then used this information, sometimes acquired just minutes before the releases were published, to make their own trades. The scheme—which lasted from February 2010 to August 2015, according to the release—appeared to be a massive success. The feds seized bank accounts holding over $6.5 million in alleged criminal proceeds, as well as $5.5 million worth of property, including a house boat, an apartment building in Georgia and a shopping center in Pennsylvania.
This is the latest example of the web being used to manipulate the stock market. Earlier this year a fake news story attributed to Bloomberg briefly inflated Twitter’s stock price. A similar ploy was used in a scheme to pump and dump Google sock in 2012. And in 2013 the hacker group called the Syrian Electronic Army took responsibility for hacking into the Associated Press’s Twitter account to post messages that caused a stock market panic. But this may be the most elaborate of these schemes yet.
Oracle undoes the problems created by their CSO’s rant by deleting her blog post. Done. PS: http://t.co/EyvsPngufQ pic.twitter.com/Tckm33b91H
— Mikko Hypponen (@mikko) August 11, 2015
If you take apart Oracle’s software and find a hackable vulnerability, don’t tell the company. Or at least not its chief security officer.
“If you are trying to get the code in a different form from the way we shipped it to you…you are probably reverse engineering,” writes Oracle CSO Mary Ann Davidson. “Don’t. Just – don’t. ”
That, in short, is the message of a nearly 3,000-word rant Oracle Chief Security Officer Mary Ann Davidson wrote on her company blog yesterday. The post was deleted sometime before Tuesday morning, but is still visible on the Internet Archive. Davidson rails against customers who report bugs to the company, and complains that she’s increasingly having to write responses to them telling them to stop violating their license agreement, which forbids the reverse engineering of their software.
“Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. ” she writes. “This is why I’ve been writing a lot of letters to customers that start with ‘hi, howzit, aloha’ but end with ‘please comply with your license agreement and stop reverse engineering our code, already.’”
The post set off an immediate firestorm in the security industry, which—aside from Oracle—has increasingly adopted a friendly attitude toward reverse engineers and benign hackers. Standard practice for a company that receives a report of a new vulnerability in their software, a so-called “zero-day” bug, is to credit the researcher or even pay a “bug bounty” monetary reward. Practically every major tech company from Google to Microsoft, and increasingly other companies from United Airlines to Tesla, now run some version of those reward programs.
Davidson, who has a long history of adversarial relationships with security researchers, took a harshly opposite tone. “We will also not provide credit in any advisories we might issue,” she wrote. “You can’t really expect us to say ‘thank you for breaking the license agreement.’”
Oracle vice president Edward Screven explained the post’s deletion in a statement to WIRED Tuesday afternoon. “The security of our products and services has always been critically important to Oracle,” Screven writes. “Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.”1
Despite that pseudo-apology, here are a few of the response tweets from the security community, many of which excoriate Oracle for rejecting free security advice and make the undeniable point that the company’s real enemies—nation-state hackers and cybercriminals—won’t abide by Oracle’s draconian prohibition on reverse engineering.
When you outlaw reverse engineering, only outlaws will reverse engineer. Oh, and nation states. Don’t forget them.
— David Litchfield (@dlitchfield) August 11, 2015
BREAKING NEWS: APTs and cyber criminals announce they will no longer reverse engineer Oracle because it is a violation of the terms
— George V. Hulme (@georgevhulme) August 11, 2015
Oracle’s crazy don’t-look-don’t-tell policy on vulnerabilities is fun to mock, but also a serious threat to our community.
–
— matt blaze (@mattblaze) August 11, 2015
don’t bother sending @oracle annoying bug reports, they prefer you anonymously drop 0day or sell to the highest bidder.
— Ralf (RPW) (@esizkur) August 11, 2015
1Updated 3pm EST with a comment from Oracle explaining the post’s deletion.
Chris Goodney/Bloomberg/Getty Images
The Stagefright bug has quickly frightened cell phone manufacturers into action. It’s been just over a week since researchers alerted the public to the serious flaw that has been called the worst Android “bug ever discovered,” and the major Android manufacturers have already taken concrete steps to fix it.
As of yesterday, Google will now roll out regular monthly over-the-air security updates to its devices. And so will Samsung. And LG.
“LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately. We believe these important steps will demonstrate to LG customers that security is our highest priority,” an LG representative told WIRED today in an email.
Yesterday, Samsung announced a similar program in an blog post: “Samsung Electronics will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.”
As for Google, its updates will be rolling out to its entire Nexus line. “The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player,” Adrian Ludwig, Lead Engineer for Android Security, and Venkat Rapaka, Director of Nexus Product Management wrote in a blog post.
The first updates from all three companies will address the Stagefright vulnerability, which would have allowed a hacker to gain access to your Android device simply by sending a malicious text message. Though the problem is easy to fix and Google had a patch ready when the news broke last week, getting it out to all of the fragmented Android ecosystem was another story. For most devices, Google depends on the individual phone manufacturers to push updates to their customers. The good news is the reaction to Stagefright was uncharacteristically swift. In addition to these new regular security update programs from Google, Samsung and LG, other major manufacturers such as HTC, Sony and Android One are reportedly sending Stagefright patches out to customers.
If you’re not sure whether your device is vulnerable to Stagefright, the researchers who uncovered it released an app yesterday that can tell you.
A federal court gave new hope this month to victims of data breaches. In the past, most class-action lawsuits filed by victims have been dismissed by courts due to lack of standing—although a victim’s personal data might have been stolen, unless he or she suffered actual damages from identity theft or fraudulent bank card charges—they had no standing to sue under Article III of the Constitution. And since banks promise zero-liability to consumers whose cards are stolen and misused, victims of card breaches suffer no actual losses.
But this month the Seventh Circuit Court, which covers Illinois, Indiana, and Wisconsin, bucked the trend when it ruled that breach victims do have standing, regardless of whether they suffer damages.
The case, Remijas v. Neiman Marcus, involves four consumers who filed a class-action complaint against Neiman Marcus after a breach of its computers in 2013 gave intruders access to card data for some 350,000 customers. About 9,200 of the victims had cards that were subsequently used for fraudulent transactions, but none of them suffered actual losses. Nonetheless, the court ruled that everyone affected by the breach, regardless of whether or not their account numbers were used for fraud, had standing to sue because once a card number got stolen the likelihood that it would be used for fraud was high, and there were “identifiable costs” associated with the effort expended to sort out the issue, seek reimbursement if fraud did occur and update auto-pay accounts with the new numbers on replacement cards.
BREAKING: http://t.co/Q8cXe58njh health website is under attack by anti-abortion extremists.
— Planned Parenthood (@PPFA) July 29, 2015
Planned Parenthood has been at the receiving end of a war of words from activists and GOP politicians in the wake of controversial videos purporting to reveal that the health organization sells body tissue from aborted fetuses. (It doesn’t.) Now the battle has moved from words to hacks. Planned Parenthood tweeted Wednesday afternoon that its site was under attack “by anti-abortion extremists,” suggesting that a coordinated DDoS assault was trying to take the site offline. Though there were reports on Twitter of the site being down for a brief period, it quickly came back up.
“Today, the Planned Parenthood websites experienced a wide scale distributed denial of service (DDoS) attack, a hacker tactic to overwhelm websites with massive amounts of traffic to block any legitimate traffic from getting in,” Dawn Laguens, Executive Vice President of Planned Parenthood, told WIRED in an e-mail.
Planned Parenthood elected to take its site back offline for a day “in order to ensure that we are fully protected,” Laguens wrote. “We’ll be redirecting visitors to our Facebook pages during that time. Planned Parenthood is committed to getting people the information they need to make healthy decisions and meet their goals in life—and we deeply regret that in order to more fully protect our websites from these extremist attacks, our full online content will be temporarily unavailable to people looking for good, accurate health information. We will continue to work to reach people where they are online, and our sites will be back up soon.”
@DrJenGunter it looks like it is: http://t.co/VCtQYuF06F pic.twitter.com/EUqIRegjtJ
— J. Dickinson Goodman (@JessiDG) July 29, 2015
This follows days of controversy for the women’s health organization. Yesterday, a third video was released. Then, Republican Senators said they would vote to defund the organization. Today, Marco Rubio set off a Twitter firestorm after he tried to equate the unrelated story of Cecil-the-lion’s murder to Planned Parenthood. And, after defending the organization earlier, Hillary Clinton today called the latest videos released “disturbing.”
Updated at 11:52 p.m. ET with commentary from Planned Parenthood.
One month after a law was passed ending the NSA’s bulk collection of US phone records, the director of intelligence announced today that records previously collected by the spy agency will be destroyed, according to the Associated Press.
The director of national intelligence did not say when the records would be destroyed, but noted that they must be retained as long as lawsuits around the collection program are ongoing.
After the program was ruled illegal by a court in May, lawmakers passed a bill last month that put an end to the NSA’s bulk phon