![](\"https:\/\/media.wired.com\/photos\/5bb7e799235b00769c26836e\/master\/pass\/security%20roundup%20-%20devices%20with%20default%20passwords-getty-82090186-516390768-103228444.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Emily Dreyfuss| Date: Sat, 06 Oct 2018 13:00:00 +0000<\/strong><\/p>\n It\u2019s been an <\/span>insane week\u2014in the security world and beyond. As Brett Kavanaugh's Supreme Court nomination hearings captivated the nation, the information war to sway public opinion raged, mirroring a real warzone<\/a>.<\/p>\n In case you didn\u2019t have time to follow everything else that happened, here\u2019s a quick rundown. Though technically the news of Facebook\u2019s massive breach broke last Friday, the repercussions were still being felt and figured out this week. But as the enormity of that internet-wide disaster<\/a> settled in, an even more troubling report<\/a> alleged that China-backed hackers had infiltrated the supply chain of major American tech companies, implanting spy chips into servers. We reported<\/a> why such an unprecedented attack is a \u201cscary big deal,\u201d and one for which there is no easy fix.<\/p>\n You can distract yourself from the geopolitical implications of that hack by reading about why it\u2019s legal for cops in the US<\/a> to force you to unlock your iPhone with your face. Malware has a new way<\/a> to hide on your Mac. A simple bug hit<\/a> Cox Communications customers. A startup breach exposed<\/a> billions<\/em> of data points. Russian spies infiltrated hotel Wi-Fi<\/a> to hack their victims up close.<\/p>\n In good news, old Androids<\/a> got a security upgrade. And in weird news, FEMA sent out the first <\/a>\u201cpresidential\u201d text alert, which some people tried to avoid<\/a>, and others didn\u2019t receive.<\/a><\/p>\n And there's more! As always, we\u2019ve rounded up all the news we didn\u2019t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.<\/p>\n Sometimes, a good thing happens. We know, it\u2019s hard to believe. We almost didn\u2019t believe it ourselves! But a new law in California is going to ban any devices sold in the state from being sold with insecure default passwords. That doesn\u2019t maybe sound like a big deal, but it actually is. Remember that massive Mirai botnet<\/a> that took over the internet a few years ago? It worked by hacking millions of insecure Internet of Things devices, and then combining their power\u2014kind of like a zombie horde\u2014to become an internet-destabilizing super-botnet. It was only able to do that because so many IoT devices have bad default passwords. People often don\u2019t change those passwords, leaving those devices as sitting ducks for enterprising hackers. Now, any device that wants to be sold in the massive market that is California will need to come up with something better than \u201cPassword123.\u201d<\/p>\n Back in February, special counsel Robert Mueller indicted<\/a> 13 Russian citizens and three Russian businesses for their hacking of the 2016 election. Since then, one of those businesses has mounted a spirited defense in US court\u2014a surprising turn of events since all the named defendants were safely in Russia and never needed to actually face any court proceedings in the US. Now, some legal experts believe the Russian company is engaging in the US judicial system in order to gather intelligence and undermine Mueller\u2019s Russia investigation, as ABC News reports. The concern is that Russia may be hoping to get information through the US legal system\u2019s disclosure requirements during the discovery phase of the case.<\/p>\n Look, better late than never. Yes, your Twitter account has had two-factor turned on for years, and arguably two-factor isn\u2019t even the cutting-edge of security best practices anymore. But on Wednesday of this week, the chief technologist for the Center for Democracy and Technology noticed that this week the government<\/a> finally rolled out two-factor for .gov websites. Most importantly, it will be mandated for everyone who uses .gov domains or accounts.<\/p>\n