Newly Found Equifax Victims, Apple Vulnerabilities, and More Security News This Week
Credit to Author: Lily Hay Newman| Date: Sat, 03 Mar 2018 14:00:00 +0000
It was a wild west week in security, as GitHub succeeded in surviving the biggest DDoS attack ever (1.35 terabits per second!) and analysts scrutinized the "false flag" techniques Russian hackers have used in their attacks to shift blame and throw off investigators. Researchers found an unexpected method for executing phishing attacks against some "unphishable" Yubikey two-factor authentication tokens. (Not the one included in WIRED's subscription package.) And the Supreme Court began hearing arguments in US v. Microsoft, which will have major implications for how your data is stored and accessed by governments.
The shenanigans didn't stop there. On Sunday, House Democrats released a dramatic rebuttal to the controversial "Nunes memo," in which Republicans asserted last month that law enforcement officials inappropriately obtained a surveillance warrant against former Trump campaign advisor Carter Page. Researchers found that websites using "session replay" tools to track users risk exposing sensitive data like passwords in the process, and Facebook quietly started notifying users about its expanded face recognition features—here's how to turn them off if you don't want to feed biometric data to the social network. Meanwhile, disinformation campaigns are fueling conspiracy theories about the Parkland shooting and the malicious cryptojacking trend rages on.
And, incredibly, there's more. Every week we round up all the news we didn’t break or cover in depth. Click on the headlines to read the full stories. And stay safe out there.
###Equifax Adds 2.4 Million More People to Tally of Those Impacted By 2017 BreachIn September, the credit-monitoring firm Equifax disclosed a massive breach that exposed personal information for what the company thought at the time was 143 million people. About six weeks later, Equifax increased its estimate to 145.5 million people potentially impacted. On Thursday, the company threw in another 2.5 million victims, bringing the new total to 147.9 million. The newest additions had their names and a portion of their US driver's license numbers exposed, so the situation isn't as dire for them as it was for the millions of people whose birth dates, addresses, and Social Security numbers were affected. But any details can help criminals build profiles for identity theft. And 2.4 million people is…really a lot of people to only just now have noticed.
###Israeli Defense Contractor Cellebrite Claims It Can Unlock Virtually Any iPhoneThe Israeli digital forensics firm Cellebrite now quietly claims that it can unlock mobile Apple devices running iOS 11 (even the most current 11.2.6), including the iPhone X. The US government already contracts with Cellebrite for device unlocks, which only cost $1,500 a pop, according to Forbes. Clients must physically send the devices they want to break into to Cellebrite's Advanced Unlocking and Extraction Services lab. The techniques Cellebrite uses to get around iOS 11's data privacy protections are still unknown, but the company claims that it can infiltrate "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11." The services are a boon to law enforcement, but present a real dilemma for Apple's mobile customers, especially those who choose Apple products because of their strong security and privacy protection record.
###German Government Networks HackedThe German government fought back this week against a powerful digital attack that breached high-security foreign and defense ministry networks and potentially exposed important data. "The loss of sensitive information amounts to significant damage on its own," conservative lawmaker Armin Schuster told the press. "But we can say that the German government is trying, as far as we know today, to keep the process under control." Some reports indicated that the attack had gone on for as long as a year before the government detected it in December. The German government has not yet offered an official attribution for who was behind the attacks. Some officials have hinted, though, that it may stem from Russia, specifically either the group known as Snake or the Advanced Persistent Threat 28 group called Fancy Bear, which famously breached the Democratic National Committee in the United States in 2016.
The data analysis firm Palantir, known for its law enforcement connections and penchant for developing surveillance tools, has collaborated on clandestine predictive policing with the New Orleans Police Department since 2012, The Verge reported this week. The company contributed software that tracked the social media use, criminal histories, and gang affiliations of people of interest in New Orleans and attempted to predict things like which of them might commit violent crimes or be victims of crimes. The NOPD has extended the collaboration three times, and it may have expired on February 21 or been renewed again. The Verge uncovered indications that even when evidence gleaned through the Palantir platform informed an investigation, officials hid its existence from evidence submitted for trials.