A Mugshots.com Indictment, Lost Grenades, and More Security News This Week
Credit to Author: Lily Hay Newman| Date: Sat, 19 May 2018 13:00:00 +0000
As is often the case, it was a week of mixed messages in security, with the White House eliminating its top cybersecurity policy roles at a crucial moment in geopolitics and the evolution of cyberwar. WIRED took a deep look at Robert Mueller's military service in Vietnam and his first year as special counsel, examining the Trump campaign’s interactions with Russia. And senators questioned former Cambridge Analytica research director Christopher Wylie on Wednesday, looking to gain some clarity on the company's privacy-infringing tactics.
Alphabet's Jigsaw incubator announced free DDoS attack protection for any US political campaign or candidate—a helpful last-minute option with the midterm elections just six months away. And the Department of Justice successfully prosecuted two men behind a popular malware development tool Scan4You after the security firm Trend Micro brought extensive information about the platform to the FBI. Always nice to get some good news.
Meanwhile, researchers discovered a major flaw in two widely-used encrypted email protocols, and Facebook and Google+ are still riddled with grisly jihadi content depicting and promoting violence.
So, yeah, you know how it is. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
The California attorney general's office charged four people with extortion, money laundering, and identity theft on Wednesday for their alleged involvement with the website Mugshots.com, which posts people's mugshots, but will take them down for a fee. Two of the alleged site owners, Thomas Keesee and Sahar Sarid, were arrested in Florida on Thursday. The other two defendants are Kishore Vidya Bhavnanie and David Usdan. "This pay-for-removal scheme attempts to profit off of someone else's humiliation," California Attorney General Xavier Becerra said in a statement. "Those who can't afford to pay into this scheme to have their information removed pay the price when they look for a job, housing, or try to build relationships with others."
Mugshots.com has impacted people's lives for years; some have attempted to sue the site, but have found little recourse. Meanwhile, the site says in a newly prescient "Disclaimer Notice" that, "Published mugshots and/or arrest records are previously published public records. The mugshots and/or arrest records published on Mugshots.com are in no way an indication of guilt and they are not evidence that an actual crime has been committed. Arrest does not imply guilt."
On Wednesday, Cisco published 16 security advisories, including three ranked "Critical." Two are bugs that an attacker could use to sidestep authentication checks in Cisco's network architecture service "DNA Center," and one is essentially a backdoor account that could give full access to a DNA system. Cisco released patches for all of these flaws, and urged customers to apply them. The company has revealed a worrying number of security vulnerabilities in the last few months, but observers note that it may not be as a bad a sign as it seems. Cisco began an extensive internal review in 2015 in response to dire bug discoveries at other companies, and the audit has succeeded in uncovering a number of flaws that might have otherwise persisted undetected.
This week the Air Force offered $5,000 to anyone with information about a box of grenade rounds it lost in North Dakota. Officers from the 91st Missile Wing Security Forces team misplaced the ammunition—meant for an MK 19 automatic grenade launcher—on May 1 while moving between two intercontinental ballistic missile sites. Minot Air Force Base said in a statement that the box had fallen off a vehicle when a hatch popped open. A hundred Air Force members walked the six mile stretch of gravel road where the grenades are thought to have been lost, but didn't find them. Officials say that the grenades will only work properly in an MK 19 launcher, but damage to them or their box could, as you might imagine, cause an explosion. If you know where the grenades are, call the anonymous tip line at (701) 723-7909.
Researchers at the security firm FireEye posted findings this week about 200 million sets of personal data from Japan being sold on a criminal forum. FireEye says the seller is a known Chinese threat actor that has been active since at least 2013. Researchers first started investigating the dataset, which contains a diverse array of information about Japanese web users like names, email addresses, usernames and passwords, dates of birth, phone numbers and addresses, in December. FireEye says the information seems to be legitimate and was likely collected through a number of different breaches rather than one massive targeted attack. The attackers sold the dataset for about $150. The population of Japan is roughly 160 million, so though 200 million sets of information likely does not correspond to 200 million people, the trove could still expose information about a significant portion of Japanese citizens.